From c6ab55ecef3fb1fa8d17723787f2d6da96af4ed6 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Jan 2024 14:38:04 +0100 Subject: [PATCH 01/64] Set the user's passwd entry inside the container The reason for this is somewhat multi-faceted, but boils down to the fact that openssh does not consult the $HOME variable to find .ssh/* files but only relies to the home folder entry in /etc/passwd. So what might happen is the following scenario: 1. The remote is ssh based: `origin git@github.com:validatedpatterns/industrial-edge` 2. The main Makefile invokes `git remote show origin` which triggers an ssh connection 3. The ssh connection fails because ssh ignores the $HOME variable and instead relies on the home in `getent passwd`. Which is set to: ``` fedora:*:1000:1000:fedora Cloud User:/home/fedora/industrial-edge:/bin/sh ``` 4. Newer podmans set the user's home folder automagically to the folder that is passed as current working directory (in our case we pass `-w $(pwd)`) Under these circumstances ssh connection will fail because git+ssh will look for ssh files in the current folder (aka entry in /etc/passwd): debug1: identity file /home/fedora/industrial-edge/.ssh/id_rsa type -1 debug1: identity file /home/fedora/industrial-edge/.ssh/id_rsa-cert type -1 Fix this by making sure we force an /etc/passwd entry for the user running podman that points to the $HOME directory (aka /pattern-home inside the container). --- scripts/pattern-util.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/pattern-util.sh b/scripts/pattern-util.sh index 745131b..9cec19f 100755 --- a/scripts/pattern-util.sh +++ b/scripts/pattern-util.sh @@ -35,9 +35,10 @@ if [ $(version "${PODMAN_VERSION}") -lt $(version "4.3.0") ]; then PODMAN_ARGS="-v ${HOME}:/root" else # We do not rely on bash's $UID and $GID because on MacOSX $GID is not set + MYNAME=$(id -n -u) MYUID=$(id -u) MYGID=$(id -g) - PODMAN_ARGS="--user ${MYUID}:${MYGID} --userns keep-id:uid=${MYUID},gid=${MYGID}" + PODMAN_ARGS="--passwd-entry ${MYNAME}:x:${MYUID}:${MYGID}:/pattern-home:/bin/bash --user ${MYUID}:${MYGID} --userns keep-id:uid=${MYUID},gid=${MYGID}" fi if [ -n "$KUBECONFIG" ]; then From 23969cc1ddd365533e671ef2cc8b3f9810ec7952 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Jan 2024 21:04:23 +0100 Subject: [PATCH 02/64] Upgrade helm to v3.13.2 This is the version we use in gitops-1.11 which is the new default --- .github/workflows/linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 947cc12..39aa63c 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -36,7 +36,7 @@ jobs: - name: Setup helm uses: azure/setup-helm@v3 with: - version: 'v3.12.3' + version: 'v3.13.2' ################################ From e67832844e5f3e4ddab97db8fe20a9164b6ace45 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Jan 2024 16:29:05 +0100 Subject: [PATCH 03/64] Drop old patch around null subkeys Now that we switched to gitops-1.11, the helm version is recent enough that we're not affected by the subkey null bug any longer. --- hashicorp-vault/README.md | 6 ---- hashicorp-vault/charts/vault-0.27.0.tgz | Bin 48690 -> 49088 bytes ... 0001-Allow-per-service-annotations.patch} | 0 .../0001-patch-server-route.patch | 28 ------------------ hashicorp-vault/update-helm-dependency.sh | 2 +- 5 files changed, 1 insertion(+), 35 deletions(-) rename hashicorp-vault/local-patches/{0002-Allow-per-service-annotations.patch => 0001-Allow-per-service-annotations.patch} (100%) delete mode 100644 hashicorp-vault/local-patches/0001-patch-server-route.patch diff --git a/hashicorp-vault/README.md b/hashicorp-vault/README.md index 84065ff..26252b7 100644 --- a/hashicorp-vault/README.md +++ b/hashicorp-vault/README.md @@ -10,12 +10,6 @@ ## Patches -### Issue 9136 - -**IMPORTANT**: Due to the fact that 'null' values do not work in helm charts -([GH#9136](https://github.com/helm/helm/issues/9136)), we need to patch the -chart to skip setting the host. - ### Issue 674 In order to be able to use vault ssl we need to patch the helm chart to fix diff --git a/hashicorp-vault/charts/vault-0.27.0.tgz b/hashicorp-vault/charts/vault-0.27.0.tgz index 574b3e743442466c1d05f9c38bf1e69c0f82f037..24a07991517b476c1391b305d0953e9e231a030c 100644 GIT binary patch delta 48301 zcmV)MK)AoM`~txL0v#WV2mk;800003>^*67+c>iMtY3krnSF_;MyF+w9U6afw8{MU z*Eo2ArzBdoW1%XsNCJ(k(cNftHx`O#xUDyjn%a<#4i4zw&e1_T`qxiyI=zE~ZnxL% zv^#Iwoo>6m{{|gAZnJpu99OXsdNbG688&cczM}6hG%eWtpUf27Z7!9$@fdZ`2|n!g zvgW_jfp0MX-GhTpr*qha`QLv(+CO}Q+K@+(E&2CM@j%w?c%idj0 zCc3ICh71QW)T_-1tz+i8mUG-{Jv=-#8Dd&C`43iUD{8t*!T33*x;uaK?wTr@w`LTe z3IJOimu=;tHR*P>Zo8{$xZCc$pZpbwi-y%BieT@Rzuvv?9lSrp?f2alYs2l(*5``7 zJSS6f`-`Ed_f5;3*6#80f!G?1O9L^`@YlhrXY1|~eqvL#m#laEy^UQ5e$5qAnc_J% zX?DeP$y^b6baP@Wj%$B=s_WUfcJJNcV94J7?E?&3x7}t@w{Bl`}a<{jH;tIV6qmvhV9zI?^V0mJ!-aVPmSZdl%4pRaq-+T6c;;>A_=U{ z|9g;Q$N#sHWq4KpwC|AStyyW{`cNVR|QOfm1#l6YuBY~WEa z9EPErQ<+i!Ppx)I9*{dzT$X#LEHKirWsoJ-c$S~p2WLh+Lqi53_lN*1fFh8Qs170~ z@*DtNcgq&v!Juzy^pUb~9i*j0thvrJ!rI z+V8+8kqtAXI2eEF4x&6%Ltnq5<~4uWyo5LC&p(@JOc1=WO*AJqM#>%WT-HcY`e)?Y zOQ;^99}#7h2!_P(?jPaZ__XQ!Xg4f6B-~eldZi6LX?Z=ZdxQzMx?J zciRV@`1*%8?cQ$vZzFyE+WM(>Lae2&PiHQAr|yLd|7U-6W~$BFXn6Y1#<{M-mH;=- zG{6mgqGS6QT@23~U6Aj7YEk_D`n7?4JVJGbS53gCfk~INR!2?LfNV6EK0%79p?8tb zd*~hh1KxaA3=cc>Lz7`)6Z7xr8*<6WwSju;aG~w0qLe{cv=7__{af4b|7ci zU>hsM$VAhbwb&LbtvLG-6h#QORL%Q+Gmm= zuD}cIICb;^)oBBY%hqG{!8G7JfYOLMu-N@E1rAh*G|fV6XgUk^IMQ+lMh-Zd!w0Zw z5!+2R8diyD^Pe^LM^&I<=&N`#bjQUeu-Lk1>R;-SAr`%(odY&$w`|W8?2<1lhp6{q zU9NxO+-kbRc<%>9SC^93SA8Y_*{@?EG@A&^V z(i8Fj$d?2gx9=3Ssd(;;*!q8&@~nCPo^hd&!E+3~1`OSt#YfOxV%aZ@1KXa#6@@UG zzuLsJST`D|PANUG17DL!-wD2>s4DSH*J*#b9Ns$20L6U#_x^j}l(oWNqQ$|4}2{&#wZiSz%X-u{1% z{%<8cL;4TY&Iw8VDMQ8)b~mQ*o2l1*76tO%J1MXN@rGxERFwJ-b^|*Mt*tp7urMtMu4QEyk+Zz6)_aYi4RiZQv#WD3QKBgdkuA4#L;1Nmh_+_HH)iEV+Rug;t(cqNDN(FCeVeKvw{rq z_9*r=GLn2W8x6oAi|D5Nq2+%MSxcP65cNKhTf=wW^n*-t>C1RssY_utSJV-+*OQ5b z51!^|aFf0Uolv=^d0%Wa`2jZpZQABP>cS|yIYViSM1;-O@`&Q(t( z^H3##`g~3%i)Vd73~!Dvm_9ju`h8S}oKkn^wA4^>XE2Zf1xSun1xVtzg&*uwL}^fr zz;1Sn;%Kzy@{5j6a=J6tV60Gd8J3w3LtkJMJI>H1cQ`&F)UxVV>>f+4uy}W8STWpL z%f^bflyeYjyYRmKz8!!2FadGav+;Naylh4cEx{6EZE4Ec|+1Z=}em!M_OdIdzWlq|~t77LZU-V&l^G~?<5X0(5FmYA84oq3^bVOu5h zxngQE=aOlDn)oV@4wLn`9n^;wc2yyNgqBf7%tFlHiV~Y#YGt{NF7`y{f}O>XlY(wL zN(u@@z4NPIZ_fvx2j|5?Q`iH8OwXywZ$ey3!v1)5ebFDU2>c_l=ZY&qmo`-KP66}p zJD0?~CIp5cFpz)plVTX;VQA|M-M~{ka8$)mxZBf20qHId3YPYjX)GzIkC5M4I)JAs zKv|tP4pp>v+U?{gaiRm?q92QeFv+4ZnxZmKA=*-+c*iqm=I}e4(!J{CuoVQZRmH6m zt0(b_14~gFq)Wjw;_z<9IT-7Brf$&(<(%sFBe8`HbWwkO6We%utFW;xj~`HnyM(UC z+c3wP?!k(>fKjrS*%Oq5H3=S@i7YWiU>-WeHu?dB<5~p9j6yhvTRgE$JO8W9@K2;7 z`;VheTRQ(c?6r62e_Kh<@cgfY{YN#1e|Bi&@H!3!Qw#*rzv}gW*P`Zu@J4tuvk%-L z5MEBP8_R!5TO)>{w34+Uv$FJTvRbTBen8_|(g+d#0lno0jc@6;aIQNP*&L*@gBWy2 zy}uk_hN=q~dAAID$uSE``_5?bL8s1Vuy3AV8^d(96t?SYP~osSB_XFNlz$3EgeQ=SwIo}@AeL5|DWFBPX6CYdWQ5rpz;z~*xCP8VE-34&sog~ zFsJMqmVgqpq(RhpwmDz;rmn5t~Z0t(~5b!7Svf7?6yzm4>`^xwy( z3?_ddeNF_3i0ZHXyiFi=KurhSs4q7@#Jj1RQr^avp{oj|S-R=&q0S!4W8k=`%)s#*Ds|x~9DF3$;^uK+uqyJk;&yN0YITApe zgjO93;3)}oy0Tx0pHCCx#vf;o^O92Dy4;%o}Cf+ zziDuq;NgKfu>?;Re}abZ=ZZT29mk2MO#075yV5x3j~xHA+dkUw$@>4pqh0*Zt)zcv zNB@67rvc`%ki;}HZ?N8T;sgYxDqsMwOqW9os$^~v6WVZ$gtQ;{2xCKnj@U{gIV5&`+I6v*LQ$V?QX;*HF7=_^m`@e_|#HsddCN_ zR&pX16E>Kd%3oslf!O!yy^mzb>35!EzoTndRqW(4 z%<5sbUr~yyR8XqGQ%cHL!ci)xmYAbdU0&10bCw-pAkzn^|Lfp#e0z5J_rZV3`1bs4 zG#*^W@+(@N$J2ViftTBuR;6 zPSTZZ*2IoFn@&#njFj$-&qsf^Cxh$p?Z>n8tPU}UGa;e0SS_uzX7l>#|DyJE55YwB zzYTt`toD1nOszaS@JB|Y0FACPF=$0~%Vb)<&f8B{qw%Psnqj^DyiTFwrTj=>DTP>j z{TDf%X7Cr`avEVURCd=CTPw$8t_Pp5ejD6gUEYp9-HcDK{*l2*Q|W(#jTht|Uzwws z=W67^j5LG!rxq>#Y)LGq#iIfJcXD%mHvawg=WC?$SCOS4Wp?yyM#+`coO?0?Q*It_^!y8yA|93MOmGB6UGs088 z9)Po0-ZlQiqqjJf;w`k!^RtVyjcPpC=X%NdE(RAH_i>KrEA^4qxmh2f#`HdBE$Dc0 zY*8uER*bOO#jPF;Kf(IG?w@ZwUMbaYM6EKQ`y;eU*EXA$MAd(#x|Q0b)4@k3vyKNB z!}I=lWwAAAQ^4@ciFTqo%3(g9{dzn2=h>KY$!kW~KlabgZ>~3Q3%^eac0js&WnKeE zSbpU3Y}UkQ2`;@~P8V*F*D&DNK7%c{4ecz+$ix_o#{Kcx3FW%beHemEO7YKt^Im`M zmk7X7L1W7=i@1M;##Dy`bD`VBq$>Q+itQw|0J$L<{Gl0Mo!(Mz^|*{Gk~K3Rj1Wtu zPu;)$ZzuBV@q%=vss&SazXY155-zzX9(9LV-R)B#{;|Fex$t^H5x zVK&iD16+Ulh2fIyaAmP$$d%$s9cm z9(++$H#iEW)@Ossgt<(hOJHfWj6Ga#RnitNQrmtzs4774YrN3$gTKnC^B*jup8;z) zk~4p2KVY$j4miUR+UNViv?kpAtclgpWBC;YHJ&VSe*|M)!9k{~{NkCKbVZkJPa^Wb zApPMHH@x|a`%wCOKw|k;pLBdqt_S_`fR544@Ra`gchHh#RKMW8G{WJxnByf#CXNX3 z2gH!rDTl$qD2#+)wg>2thYu+QL^l&(j_H3cQbe$TVR98Oj|pLddMWfqTuNEc57pRd+xY(Eo0)(~1=>Im-_e%c* zlM;SJ7uc1Igkbsv>Yryq#M9=94s9~zMxashZ?@FJ3oU;@)EP#%Vb)v%Iq-jiD)Dh} z^`%2!+l08yTABMXV+MDP@ODA*>|gXJ9xa>D!N;0-<|cIFfqFPTD7Mxgp4FsS5q@p- z<=OBg{$hA`8omfG-(*mO-m+*!K_mp$N6$nLI`AydW&I6D%V`E@Nc2e9ajzq{h%$qk zbKUg5_%)1Yx+BmQDUQSL7Nmc*vFIU4fx0~h5FYg{t8dSVjcf%z)A&e=iADnkD_SF~ zt#4BMT*tF415?Ke#Sq)Kw5IWQia8C>yna9*iG8PQNYSXA#2UnUIi+Blfx>OB!(@hj z4RhtoF*-ar*gt?*6LD4P7OTvRdvYE0env9ef+$TSB0xY|a)=sFiwR?i(W>AxQ^ zt%5B;@%fKT|KZ&({_|GSv!nlcH$hfGYPps1Yoe>!L0S0<&r$sOR#m>eJ-Y;*wSR<}A)@K1l=l|`FZ2#Nc-`~;yt)wdH zf1tOC$KD=ediLnr%VvmC*9@Z=UVrUzedxQWlbbm4&n|z(Jn@*%TiMElrf3iC)u6eJ zMkB^*=ES7ovZ=OHB{n7w^(Bo&q=*4qhXK`|Ae_XunGAR8ZT*C}`kWoz`U1a$G@?4t zRvwCvlN0nX!zNx}e#?*W8*~s16L~-|0_GGq(NC?|mGVD^5RX5gva=r+ihqCteEl)? zgK&L}e2iXjAITUE_ighbIYwdKVLr}8{f*T$ID~JYtZ7W3kK~S;64;{DdP~L&dUczg zT?$eT{};lcpp1_g|D)YY@c+*K?)+yfsZ#zgbHF*#A~!Eej_g(Nc!8o90!0HBzdC~- z#USk%{Ih59($qgM{{A?zvVStmmhrd^?P}SwMD>{xxq5 z#(zVA)i}6TNyJKBbXv~R@h_4PUua%D}NgEJTHHPEc(wRjz(Z*`7LUX1BpEA#!PXZsbb*MK7 zzu7VKcSz*@VPqHn2qHt{JT-*QV5Y*J?^~l5>{sdh#`dgx(SPS~s_T3HId=p7=q@cx zbqDnC)danxJNqxv_K$G&2JEDr1AiCD^r_`j2LdTTQ5jOm5g|xb z*>|1SxNF_}a_33zH|;3~Ndbb)bV=v5E0OlRzx~ZaNg@chmb((h zAE*MJ>VN-NtpBvV(EmQo=bsP%f61!lhw79|pY=jX@ks(va|HkM(oQc3=0C}&n*PtL z`r~x@Z?`1=Yj@%Q_avXsK>y#Ig*~XDr0eEN`b|{W;S|rx3QpQ-?YhBD;_GB&qB9d0 z3HS;K#7z%I!6bGAfTpqjjXm7b)>BlwT#)e`8Gl#KczyrlyMce}hY^B7=}8W|S1q@h zUhqR)`6eI49BOAUC^|(dtNvZ_{wwf*&lhLFdE|kZg8#QRw+i(iw-@z)pXT!!;Q!ys zbCNP7%6qN|ATDe3Frl)=U_V8Me5ROlbl&v1i}#+2o(<#fBjm8485S76#38-HbJ+@I z-hZnEFYCU`LZ2ses!W-YtAd>aF0?Asy73<+KFLl)$EIc*ESJ-u4~-9i4q#f?r9Xe` zwObpT&Gn_6R^vxFPyxi2{I6vuuU=+2{NC?}(b%qY>3%n9?Pa|SX2PkH!}^_x!yuhu z(vafY#JxXP%6XdQvU*9v&K;j{WBuo(1%KuG6lYUUNOe#M@jUUbufqG5I&3TNR=h zN}`N&5Bd#Yee7B;B{JU9NrVKuO$FTpU0E{WQv6dP!IuT=JeIgE?E5qtG{6Ne-Es_yy&Oq^>foM znEl6O_Ss8)!Rc8!5?JoHLr})e_|0i4i78kOa{T{S6l8SbXT6d{BBqyVq&o^)B-8~xCnV-lT^>VtDVn^! zatf!m!Z=eg$CcqJxeb1c70U+MwYT)IY4cx!$#s5R;z5@jdtz=FB7(&ec7GTGeYTht z<6PpiD)yn9=uRIDcT4@IvA%g%y8%~#Lm$?>fA=v@y0EyhVnJ_46#Qfcfe zv+&s5bTP-UK!1gxHW_JTYAqSx3$~_ubW=MZe}{DgorHYSmA*H7lzc0=zh6di7F2SK zo|H0tqb{~({w@d?xqnvgQGfpTAoA1HjFkVjjN_d&g0pm;nQ-d)IY+}M$TQ==iU)+e z^PWCN#0(_mQ)(v*bqisUv`*F!I(V(UURZSg+Lj6PU>`|T z*LeSge08}iQ(UE6lBMlarU?`hz31>`lde)a6xp_Nek2D6+?U$(zZL&5%hW;T%!{~% zI-d&sKTL=7s{lL||9|K6|Fm~^7x{mm=JVOa|B<%C=za3;{h~_3LiJ2Qs`MLARmc}s z@-X@T^B3n!L$seWOZYq=sQnxRwJ|Sgn2o7P7^KgwxNZFW{Ct!KPERW-X>$gey%0I( z{h5OQ=TZT9D*oTu$n*ajy9@vSC;2S!|HC4x{~5@D35UK{pno$T(JYbF^DVr)pcXTH zs`3APY`^%Kmj7dWXEV?LudgrkKTq=cUE_ZpY0K#}bhz!A@TpIsJ^DJ z7XRPT8CUslSbuIdJ`5B2bC|?P9fGd>&89K=qZ{81?);>?e{wv<=Lv86EQ=F3u^HT) zU|NKxG=q)4r{x|*e%LRXCeeH)N=dUp{POtZ!2ROn_|SZjj0XGZJ6IYYf<9o1G=~Gp z{BVFl<}tP;!zvb~z#}#nl(wiZifiyF0im7Zpl{;ADStF0H?mjZVDwSVaNY}3c^aOd zrg#H18@j%w9=e&1QjB%q9}f4Eew=uT4?km|yFc*Gj%X} z2VLW=ur&UTLgSUD^O^U3oLq%n&+qC$d)g(HN^420rq>Svew51`#dhy`JKNiv+wj$O z${fZMPJfvMe)sJl8skZS50@dC$K`sz00yLj{=*4m^HKi&VLJV9?`-Gk|K`>r|JRdz z=5GI)?E6*UyNe;Q;M-N-MXQcS6;Jw<{!~h`f_YsLmR6!qQDoPJv(n=_EAgq%-Bn4z zs*>e0&M;-mAqN@uRf_pm+^`}?G%oWJxeM@(1Ai@BUvJocB010Vb>j^+$sWgxLU$;0 z6nqv7ACWKTQ$ha)dVJQpG?~?Yr2L=l&2~Qj^TyUf|NAtbC#e7AYVgholn#J#Mhs}V zMpt=8PwH1)y@Q+2MkrHfB8wn3v-m?Ws82bakVHb%4snwCn!Yt*?Yxe^bLz}dlM~NP zZhz+=pIJqvFY7ZC{(o%$zwOVbuKL79f_9FiCX+ED%{uk%hDOCZVd4FdDpl6(^7mXvRzxO-Y$d5RNJeR1~O~MN( zF*RNw)@Vo7R6UZY8JQcxs#wpsgWO)m?f`oF10b92KWWE=es8|?a#mc%z~z^k=inZ?)BEnVDsRRF zeyyBAo6Mw@b7e1_{w`<6-xM}pL=D(bp@*tY*Vo}7%*M`%m9)#^VI0Lb;r zST*2~bb7}qND8YeZAx}=f%#n9GJk{BFbQLHF3E-4;-~Oa8SqwJO6p zr{EGNHH$@^lwUf)M+R`+0?JZ$k<(IF2&S+dJ&Gr6{XF5~9M6{uxRW+Hq<^843dQ}v zddSLG29`7#JaK*dQRwSDP-;)|rMsk3)L;)`p@!<+mal{`%rU(31LfvottfQ9pJ7pD zqs_FqPRT6lkm({EbXme^NDM^oo?r`o;9W|i>hTBUP~tQMoPv4N_NrQC{*4unzC=P= zwp23F3Gh+X3EOzEp>E?20DlApxIiZsz3DBjU4?_Sw72Ab+YCDPH-2(c&Vb<$g(Io` zQuXB&h6)C^Zj`&avzKqr&M%HnoZm336dcF*N!%}n#)B{ub;ZHC^tTfV^~Yt7IDbKI zbT#wI+rvkk7?4)Qyzlqly*j`6@x|E%uHeo7>!Z1^L9tJS4cWXkx|yZ2GtM0m zh(fP|+aQ{J3a{S&aPjKs{n4vxoKZb)aT(PRP#op^IO+S@^nc}j|Mv9t{&}7C>5=O! za2a7V&qyM~gAj&Z)1>pXb1===_Qzm61rlE!9~`|oJGwa8KYv-iO}_QDhzDLPZhFGx zW!o)1g~Ia(wyMas<;WQ)bxY^mCDy45p3f}5L+ogk+CZMez zWaAzyYl1kFWArN|KAfhghMFYRaS!{#3qnN!xGS8A11#egr0Gc#Um34rr>EOyZw9=U z8x=Et90!2oF62Y?2A8qhkuiA_g8N;90mohrHbWv<{k8c z&IgfO{@oh^YVz@zZL3TQ=bVj_fw!LPd)^DY;A5BpT*6wC;2ITgsT5xHBN=rs*UR(P z0hHBDg&*4(O_U^YQut+q0*MNpf{#W$sXj_d_I}o)@hZ#1t8!+tIIo#SX*2y04x6yk z@On)3>wj|xSH#BGei)6C;JlXvX)lhtGu&yuOMXbyqJ(~Q7)1Vff>tm$YDusBz{6>Z z#ys$q>lyizjykC9tF!TZm;8`f*bm}SHv0nI4nrnQCs?Qqu@&hxt1a<1MddSGIHX$lysGP0+GVS!iYZ}zk1d3D2g*TP{$vkN)rLjD1eiEo*Kj4;HGSgyy`OBAD!YE{%qjW`?r7dKHy@S3ZTAP9){icnmMYKk~1nY z93_UzIL*#7zliMg5A|-d28q!#JOW86X7{ZSM9R!g++~t5GR3@9W&KhlL)&Ut%70Cl zoKUhIE|JFAb{{K(&`KT1xsBlGNt_KH?fLPjWKMp>2m6Yx2E1}E4}TM9EUKu1yS(fYVa41)1u2aH9cW{t#6tg>yKZpLkc>* z*jpk^8*;)_hLY86;ov%k|9H=Boz!y=M4sWuu_EoCpC7$GIY0ZhZ7bmh-+$VFjo`IM z-p}6BSA!+539Q^#s+YrKc4Jo)L5thZ@Ol7%z8bVzuDIZ;%dXjWGv-QuHvp_&^T>Pt zzj#A?-ZI+uex;l$E6thmx9G1}YCN(VM44_N1CSYLi? z|Bh0`pkz-dJa+Lcy$D|YeSc5hV-=^Zt-lT%joi=b9?A_G<(#eEw#4_Ql&^LA%)rz- z&TEsFQIR{Lys71M{F@v2Lw|zsj{<|jJZ}Q@dtIa#c<3k3|Bb>q6nxHortyEk?&b3T z?Cc`{zu^BK|MU6qfBDX%u%d37{(-)of2rkBSf4q3@>oz_KcTE~5lo8ZgiC7?PwL{7^vp%H z)htgv3Mcf9V!!*HAAccSCHXFPxX^-K`#e5*{_g^)7sd#-vf+G~zduaj|Jv(2>+QDI z|F+jr|GTr$|2@%Xp8Ow7>3FbOSQR!e(Cqy-xb2PLed&7lg`Q$M~1%9(^+ zQ_r@t!LNKIco_K4uzxlJ4E)hsYFY^+(Pu*E!5l~eOm*I^1Kd-~aaJu|1FTb@1CQde z0D7&?x3w3T%YTLGj>hxOG-i%$XNHRUtJ}xy-kdYp zdRrXJnZ;-`k9lxF7?Tz&a#Uf(HlXmRxzJ2AT?H@z^M5)5Xb9!l($MQBA!=g*S%_y= z^~I+~`qXdj0v}o$z~a0myTLN~6*?gc@bjej25epkkEra^tVo7GVS<&F*-j-K{EdW* zS=MNhRTj57p~r6YEhE=pKS=s+FiK*)f9R?_F<>JcocQLo_~wn7iC8D zc!OOcf)usDWgFBWR(`)a_fwI;bLQJB??11*Td6k!FQ)W5inlT8Iq%uVH0aOa7HA}NpnoGZ(8Q65!CAsb@Z~(c+6b=jR?71w zmZ-g}AC(~@6w2m0P)xYOiN`V9X^g^IPGB^Jks3|pqek`FsH!fHLI3a=`u@kTKk9pf zQ6FSg+>smL6f@5jybT@xu?%Zmm z`*zI9tljX|TTVw;-ZK5GkKWHyceB3YZGXW3;J;>&R4Hv8+}o|6gtU<7s3m`HlV`Zj zK8HY&Ke7>AL5QV-KxqirBfK6rG#ZKGo3K-PXKamASu|(FK3ZXo6rsq5i>8>g{-}6g zDL$`a6Fae|g9~_tmTAzeK*0v(=qb91-FLXM`cT2`Bmy~YHt0U%L;ybzm7Nx*}SgwpKGnVa?OJIvplGr{}3CBj`nX%y(V+sPKt7H)J=wz6O*B zU-zlf6_*d3Q1w^XRtMQS47`?dIpLZfRXiE=mjg zZB{4ewHsF*g6px9zsAu}uBPt~S#C+0cZc+^ z1Jp3?>x<@EqaFp1;6Hs-O@|rgfdg=eiH#qO8|2ZaoSY2C?SK1Y7O#k^k}`W)#nSjv zjE;kD&R?CaRAOPB)yu)Ix$1|AL{^v!uYQiatzt4sOc}yIInfo$`pLgpj$yj&o*Th2 ztGk3A&rZu`LO;r4DBkD2!_4aNsCmRD67)eX^&!pD%GiGC2KTeC0X{7Hc}Z`pm=we~ z)|QQLu&Ff~-+ym$D3cpv;(*0i6?qr0;l8=2^@ZhxyS1@C-8rG$>8_5;-HXaOo+?F# zlX9&oSud;;<6e6c55LALC*8*S*4Dav8j~mvCORYLT4Ngy&c&?6&_}}hbf}=gM2%|< z7bA>ue1b&?#ccsP_WchmT%e;Vu=rQ;M=$t@L4g6rtbYZ58UmujN%6g;+7}hNqUnrK zCEGV>cnRTqiH=ECc!~41+4N0#i6V`w^y^SJ`KxobouSHQ!rNaX93YPzLkyd@d~dx@ z;abY&Ik^db{qN3zKYPuAxAfINB-7h(OWt46DHut8^C*O+{wlxxs@weMZ@=Cw z)f$|$Vtrd9p%&rkQ?oE@K6&0+ui ztJ}K%T$He>Vj}(9uU5O+r&t@M$yyY5{D{2nyK(13kTd~lB;#QWd{-;&xp~Be(tTS# zco_mhINwL~!0)4!|08)};`^z;P~?uLE@wI;=6`EG34=FOfPa6Fa5}!KFtK+kCm;yoR=)#x8cmETjrs07V=XpD1Z>=Cos@o_nwcYa zqj74-;YhlxPsyCyXJ5sjm*0JPyTaAXz<+CxhO99)Wed)g*COh&2lUVoYY>|8gg~R_ zJdv99Ao{=DZ}iF04fTk~DpM!bHVu)x7H%0jM&XBmR0PkF)&bcabXUDze21||tAhVj zUmg}vc{fPI#MRbLQ3j}}{@FAFGa#oK@cfD$%H^J>Ny|SmjpuAwaYfq_tK^8;aeuaF ztdtr$n}x~_UK!qXe3kj^@pr2RMm~;@+Xm%MC#P9+3Slta zY^;U;?>{AB7Q7vFT!N&tl-rZ2OeZ;^nx~jXn$qy^C5nzB3UvDL|59ZGyRZFyl{7!g zIHk!qN>kB4oExeJJeMyj0T^m97k|(zjPzKr=N!(b0X}C5vqGQS=>gz3(?C<;Z@Q#F z`XniRLOLZ(D@1;zBzX~;OGbkMWo#OF2A2|+e!0(wQDh@cednyh+x0|XgDD>dRH=$Hf?blen zO1=5YCbPfS8D@FV1Fjx_-Y>d(rUw8{)f=y#tj?pK6Y3dGpXlB;lz-?iZIN&a$|xCVIuM|hxePy;!6x5$*?mvK24>vS+byVC zYEbw|w>gT=~#*zdOs< zi;MGmsZ{5kaBZr|v@28XcxCD@mBD1n6}g=!Urp7u=rQao*>bKVe;t#qLJv2&j_>p< zU{5%FC6B?4#V4iXWQo##F#gjhid!!b>gO-Yf{NYOv|I zS9x<~W44Ous_gbABEFJgs|KCv_HyM&br6s9@FJ{?R>A~Y%PJ{9JnaSxT`VoW`(v$l zIC0HVPHRf6A#d#D1YZxKtKJE#G|2OKG3Vb z3A>iHq`khr?wClh_q!Ccs+4seQQRz=@>Pe6Bc0H*S)?)e_f z&YWpxdl|J}hndNKBjsiC$}4-;c`RnOsdL@`-Aug@ACrchB;jos1vkM_+VLYo(|aBz z_jTHKtki({+J6$=q*!VM4VU|`UfmbARTXLsKSIo+q8>_M+c;58t}s7|37*pVLCC)D z6c1vUr_C}qCVJXLpFJs%ecXo-NY~nAV9JyaekiwY0i=69m1zW_&JZI4Tgf?TD(o^5r5v3u_<5wLqLDV5$nH(=>y;YflMEJ zehkeG29D2i!_stiQ(Z}i`(9t=Q1`yKvJoGAVP%8P>!v_F&t@Vh)NuA&Dm1_E9aRi; z?;9$P_u%^}4mq#eaYCriW~ctM+vi-IP<76;Ai?=#zehoPPj^qtTufx8)`d}*d)!;0 zUw{4Un>fTnZm~G<{4TRN_C4=(-cOGl^RCAAud<|L?Yo>Z#se<1Y~;D!X4&A6`b5J4 zr{Sw}v8qq~n=R{E`)a2R@_@T79eQq;TRQq%e_S|>LLLZbkv>zwidIq|rV8C^1JuM39so_n zapwj~#i1XLB~Ie*nJD|E{@M&UVVDkQxH2&@kDk-vOup{P87b;tdU?i~iLK_7Wji2$Ja2wp7@%y>IoXws zua3^SqN{bl>|PIqFJ|h-l~Iej=M<&0p1`CO$B&il#TaKR`)ZS|PI5LwRM^9IsqNg; zHd<_0XR9T>Kfz|PrrflBI&JD~(d{_5-65JfI6DTA-oL@|(y$wJ{G{ftee65a-g7PM zow63w8{Dj9JhJ>_1KF!dbcLY!X*x``UDN%1HI`Z1sTmN3+#qKAft$w^ZgL zYx|B*ySmxE#;5i(CsOK0IqQ{982MpWJF{!}J+630Z}7Qa^#s4?$qSt3@;qa2&p}jk zz4yW#^S%9PzRYs~g2`^nGr_`qQheYtp~(yxK1y1e1E`gM;A7%Q)2@<8R{k#Yqs=9G zK-s|aN*#dDcbLStAy!~;k`vUpvl$XU*i9dr_hIr__rACJXMHFg`QA4-;o_?E&L&UkZ6aa9=k{t2zhcvgK?Q*#jLh0MgT=2}{plxJ6G zc~PY!&GMjsDsHKQQOyJX>@TUDO}#$~G#6CM6BL&-vmdCvhdKIt&NAHn7?MZv^qeyA zgJh0lVmah8b2T_pOi6_Z6HsH{&%6)8c<&aMw2J34jE5r>LAsR{IdIG)Gvs?1(e;=v zYoQx(>i(}_(pB#(nig-eybp9~nwncfxTx&fTl!ajm=62H31QJWKSb}dx z!y$2Qzl`Ecj-Mu>5oA8=*Gj@N^MUH~!o2OA1V62DkX%Q4`f--F%N^>ZmhMqvSrt>w zicaPGB<|A#(~0~~gKNQ)re8@RECe6xH|RL&Gz%x|oppLZmx)gI0zb-n9(>XHKx$$t zUW4s_sa}m&Wk#kEO1<{Q-knA1VVK$#Uzd7WHeAvxHC0^smvm`5NQ8a=CO8>I5ubSK z-2?+E2?#eIDPZuhQk55k@Zu7Wu?+^>V2#3CUSwn6{N?pWDOCf&xBrn=EcE~o;-BM9 zJTKEt=GI~kgX(zYj-#-0Y@Gjc&xS1fY!T~!V%bQAIa>@0Hh4Mb3SDS3Se%n1APVjC zQ3`bcsG-WVo+rqubi^?v#eMn8&*(W3wvuLOj~G(rN;v9P;|%aeoZxE?2g4DLkYEY6 z68{#0PaV`!9>7fHvdgBmN?KEuK)`@YF8oUObNtn9`)&D;x(0Gq+Qs?SK1(skl&@2N z*I?jrmR`kv_d7rG2c001Dh%?=8(`>9;N+H6_+ROGf_zG+viDI93Vh{}wGOv7o{l!h z|9hvIn8`Og>Hh4goGao|0QOZlIscub@~oS+2RuFzYnAgIpHi`1?nwA$+s)2MlYEL# zHZ2Zp|LQ(&d5_M^t$u~Mum7<4{4;)kxJr*wSf^`@9h*SHyHSv)P4#}p!1CUAj&=C# zY;EEHws*JJ?f=EkCj9w__SW|H#>Uo08~(k%(cWse|KP39bE8!spwoWhd4K4KzJ6Egz6V9cUHWYe%cEU;$*n$9S=Hya!(HbM^oxUHIGr0!Rp6<$)5N6 zN0BuWaVuwUD6@QGSn{@JF0)w%$Dum(8KDiX>X0{ zww86LA9Po8er|mjUBT2rh6d+mnKa9qPEAl+|yRt-oJ(GGDv<6cr z4;A}h{+?mdkZjnZ)@~ zQT;#ZgY5ul!!-t=4t%xX z|DNEp;Qt=X|1H?Q0^9c(yj@AqUI}AYMcc>2fL4b8n8*a62FPY^Y<6qGHO`%DoV+B> zQx;gv>ILQc6lYV9WQuCHe0Uz`83wlA`IwbRG8MrkV-)ID0DM>A`L});f05QdxD5v4 zxjKHH1e6XDD@=`P6fQWN^}^IUd~=2+hy5s}JV#wZTz`whffo;zb4+U@Q$2wjuIR&? zDdEB=GvQClgS+ttl|ibkwl1$I?7VG9yKB_luFKA}WvVt6=K0S@axhl%szXsUK)LbE zQ2O>hgd}%93+d!D`7rvb zDL&7<6F)=jMC6M>fD4~pjl!slR&HQjKLE=I)aRLZj-)DO8yx%tP9*Zs8twJ{tkZ+m zt3cf_Gw*Ex{j#3*J>YK`U=ZA}fp2-31lQq5Ks00k``tbGD-xL0?`muMj zhW}B2rniGNGw2oUbu{#@!w9oTw9>mF{P)WL0RPSU@bCW{n!fjwFdn7e@!=6nK1^bC zDQUFAZs4zRJNT-Be`6jK(E=O^KX<~U0~j{smG(wg{14y~nw_vU?ne!5xAxQ+kKg~n z%l$V$9KCw`L#yAN{~VLw|L*$ccK-cu?rg3v-v3j4o;~y44H72UT>#o=-g;|ex3%sq zzlm>yJ`j1Yy|e0VtZ!_tG#UpzF*`TD_6{Y5n&p*6uezUXv z*Ja|i_SV+;fwh3iSnHuOqZ22?H8w;bp<6@0o;B#PGGRFqmYVIGpsw?rzOVp$A;mF`}Vca+T(DSCa=HgN||?D++*iT5WInEwGaaKbz|se!d&sz+%4kz7IbtIiLKfuDwfPOF_g( zZ@{qQrd$5@#0VGSvxdoIc@Gfbp^-GU*erJc_!ChLsM8=-7|${BbH3 z1-(sm2C5NHYV{U=_*-OwFTK$K&Eje?U8Iv^w}I{rR$mheU2J0(-UZW5>Rab#osZyT$iB`*Us=+BQGDNGsZJ zmNoCBe_>O3jaT&BqJHN<5EXy$qn0;Rj}&z;TTS@S3+su!9R`Clsx6>W?4qxJ9 z-6fyIH+4@RdgNCX#ez)?X&uzZQo zp2SfghoJtv3J1tsr|`~c3G1~<%lbD3EdRB~o}qFv;wGwBb%_hoXjG#n65b;&r(w46 zf1q`lyBMW`=PJz+qrJp=k>BM>+8cEzX>T|ej>SPdtOJ4C(fUkC~rN0zMD-ESgzS6>TsnX$H zYHq?JZsau^W|(X5lIa#-X6`f5D{%TW}(LeYLS=d&dl$qX#)U@SrIQ&*R|i zc+Y$7e*pHt4qcPCsUoB-qq*W)NGL&P)O09q^-u>o9%@sore_Ziv zIGp~d?|mqOIIV?vuq1%*^!;tD!v%73MgV;W(ZK)L^e>JufGmT@L|6&`gr_9$M$PdM zI8c~c)5?G~_lifr^Il%66#-XgA?a3-t^nAL0y44$B@7cXkls24jLmuw+> zygy9B$ZPKwm}5;&PQTkffCK$ye-tJhmvW076&z|&=`XY$anxvR2YM5 zq}e8xDr$r6?uNDgb+!IdTzKRsXb_qW8*Wr07~me|jn!t2b~Y^pL;R^T^oAa}?puH! zv!Sj{L0!9Bbtx$HsNf~v1b2WGFggfr1+Xb$Vkogwmz8y-n1dA{c)zz(f3@049ck}d zbtMYuk!Q0UL`fErHzdCxk=Km(3Gv-5AhDpy-{^{R;&YN;;AZUwZnj<2N~qqQ6qk`( znX?I^qWPVnjwl-qPqcXaV!QVH*(S8FA2;9>H@ywq8Q&MuniDIkmabEv%p*mO*YQcI zDw`PucYc&U2-^5vZ#sIPe~lMek6!nN`?|{?tA0}Lt-2@E-kSJW+wzhgI`V|a`oP6k z3V!@pUy&;5(sD&nPtpk+gCM@d(;ip0*6HUfsaZEQ-d zTkQ=nuO!EEr~tN^MMP;|he46U}zM zB}We|Olj$hI&q{Rf5E{W&?gByDU0d5wb{Ad-O_XB1CfIe2IfUwoCrNuM1AM^H$DQr z%?Sd!-G11}B63RSvl>GRRDJ`%i69>mZ8TAjs2iq zRr8+8(QYE|X&NCPHw-%AHRnvY9Oz$2)TJS5BYejlDES6;uH%f|tjJo5atx3dG&O2ZOPEav$QAr|1T?ve z@NAk!>~OGKoAKRcmRgy4Sv)|Se)H0}GKV%%m0LoOGnl@^rGI>aB~0~35>S5ct%t3S zDWp>PQkE29eAZi=LYQ?fv$AFw=pv*1_#!Pff1ww+UQ_$o-hmEe4clz({E5C)3SXDZ zD$JC{!#Ij>#%DuRVgcGuvjk{CM%kd`Sn-54MPYZ)@42`bNviVbZYStYh+ zRo}DyaA_^y)JD$VtSjnbEUW}OyvJq)M-e1Vm52~!`Bl%dvdUUW4NgmVQ5T4yhfN=b zf8?LDcH72MMu%aVj7WU{Zq!AL2shz!z3o24v)xr^D|JUwLV+OOavDR}I;k{?$0R2T#Xs)s)`p*513%}l&WccCwnUYL z?P}THe|41F+ZHgm zEB8Ep64pwN#U1#>&w7-Jj8?N*n@(+RS*x)fKig@hSM%eWw?Dn{j?d2CF?^ywt+>&m zXmRa_5nn#J$;LUBrv1&I7%-J6uj;0|-m+Ig$43t^5E?Isva3rG&Ss!gFIrpEAY#1) zoyiMR#|glIuU}lN$yMg$UYO2yyEZGj{f(n1P;we6DN5r=nK{0+)5wVq#ArJdmyGd= zf{-?9BczR;vW3aD7;+M8DM1|%16gfKvbk;v>PLfggg)2k8Wh2ki{tDtL`xCjdyWLc zP4`g>;GBJv0Zko$jc>|vb`?}^PKHYKde##;b|9@H$W3(iiHQO|dGd{BA_d&7l30bn z#n&9B%qU_$M5N`N#~vdL@y62D%$T(~mHWqo8j%_V&cUo>oh^gJUXT=?kS@i$gtiB& zGvlUK0U-<9;3xvfnHuqNUZ%l_gdEVSPAP$`^7fqo)da_Xwe=Z0sL${W%-8@RC(p;` zu?bmR=eBFRIzf*WSz}%O81&F@ZQC-aZEPmp3VO)Yu#nQ$;4AGeyj|PaxxKrgI8dz@ z5vAt7rQLN{1DdI}jJW;6(B3Wf7>>rqlcrs?{}!2-;A5D*9h?SPGX5T@Fe29JOw0C8 zZBn*VDhmjIRN0=TRMNf0#M z0?F0n6ro1*;^YRf&fk3t^6P@{wlQbe?0Pa93>3BZI~~C4KBaE}z)ZEh)0b@5mzY=P zQu(+(d?9&8i;W)%|M9h6k7p}s~(jEmyA-?2)rIYzYaUJ}mYD3TNdVXajP|dO~ zYWSF|Dg)xnilo_>3`4%k>FpB=;pa z$<#Y^@Oy1j{q~l2Y9Xe`H7e#Q(Fq6$wojj*+>lv{)HCHiDJeZGWO2wCu%FyW0M~YH z>1BJPELsBz08_pXCZCdW&_z8R{?>%sqkLq4f`@4VwH4~y?R9fKqO<*5ip+;~>9xJ< zw%eqQ+IMw)cD1Vs+P&@CYKZL(dhzd$m1&lcpfZ-`Z2()fU(FU-J=MD;TTnGt^(ooW zT`r-KyH`Hd+UTLJJ(k;T6N%8?n#g2bY7}Tpsli7K6ALq7(b5m$Pz9*4?Dam6g12ga zYYDerkWjAuiOAJQCC{LR;8ZALDD4DKRNDhpBZ{=(SN2D*c5R^fUWl1-6>-WFWGu&A{29QCl;E%^3m~syZtaF z`l!5hXf@llPjXwIW#jE49^P@LpA3r)f^T?cg>rrY_o~8D|ZCM9r*=DOi zu$(A3IFnOBpe{_uGc)0?y|&GN33SLG!K*}D8D3l;I)=k2Ff%e<%W0Gzw2%UgV| zJdt3U+Pm9$VOal5ioQ8X!rL$kZh|AsDL`A;W52sg6Q+l>POnXCrc+!(ZT@P5_^UU< z14{Ov(%0Z52xU!N z0D|Wib>A%XDEG%;`U1CqB-vauZz~7Y)_QFYdfk$zEww^f zOaotOLS}k$HxAL2RVD3aA1~f|-KV|Di3`qhT&Rh|MDrcczaC|O-UT|?N4Ej;gjK%9 zY@M7CYNA|?d4+X(lTC8zvQ%AUd?P6oWB!JtOb9Ufh`!&@sitVU-P#ATt8JjWwpnJ& zdh;csv$*YuEW>}%qY>XvQeELHFZ{vyg6!Cc1Vph#ORXJP3q4j^iICsDcx`6x5=hkaHY`gYesZo)&e<1?SUt?fi1>UBa3wR_Wwe;+3i}hw0+GN|3I%Km$vV^eVnB7)^0lqY%(PnM!)aGt`)`Qi#7B_cl zBaEFb*WQ6BzsNegW7nUJ+CiclFSc`5iQzcw#V9y3<3n5!n{e1jN&Bd+W!*HkiH`r> zXwZ!~Yy4GzfEboa9s@q~nJfVN6L$I5Fy$cZk%%})6z~FSyZ&!-rV3nu#uQ3D$&T-` z7ADz>Nb0tP2Qp9P5$8qJrc~RSQtfC%n(`i~AX9{7j|X9#Q)OAJGGwWxrIsoYFggh%l`J$tZJ`CGIiquM05HW96@CtVu;NOU~CE1%*|l0S2gx z6kgzIHfkp-gdQ{v2TV|eGnRB>XS~8OJ2aFgtj!}q51z1;ZBud1rvS<9GorNBXar#e zFwI*#(=PO&dGijCMTdWSxIUJqm<-h3;0t?$wh~#{9!z~9@6tG(wm!U|QVAvogr8Sk z-Uxb3IN%N?bZ|UMHJ*F9U*=@7*{)5X+PejrMMuNQ8IZ@Pz-(PY4n1gxJhBawl;><; z1^uqMyHPh<+s_Sp@KY3J8K&WtAVzJ|f}>@71sr6^u7^bHrEGtiTxRWLnb1RHf!y6t zXeJ*fk=LHDo@8xqdUxGA&#Tc54hV=8fAmy!`#bn%@LX{j#i&ig(QMSlbsOJkTE1=U zwcnJ=oEowTMcB^^E}nT%hN{|&*x;jnV{6rzwjOD(7#X~F_&oHm9wllOl+NKaxCtqC zNO|tbHqwVpgjvHf>U193mZGN#z}> zEO}1;&M6D3jX5_NbH4WBov>=aAkPB1S0K1imjFNy1VNK_R~LVtPwWQ}#=9UGSo(G4 z3RU2@cIzGu^q5XI*<5m_Lj7c_x?s_ESfDftf}sjR9VRe(JhY?&kU56xG1lfGU$}&e zeWg^%5h7Yj5M(B`_G|w}zjnlxR6eR&6^ipIZ%!++fI>e^0vc9wFyz(tD~BEkdCYr= zjA{rP!;LxHJB)t?9+Gh071@bIL<^i+>XK{gZg#)XZ(y^vY3#jiTbHWzaTZ-GF>C6i zZ&B=br5=K%Gq)AtBjq?ITfo+7Fi1n;9f;{oMX^`ox>M;XoYl0lz#yKUu^7oOvP{r#dqR zRolyN*!8H0yCQD8xj3=%>(_d7Xc0ODa(&~I=Z)yKl|IV=RRLH=!7AbdUnDaK`suy@z zVk}jU0TB+xFDOw;y+X>!XhNAcEI8F$RT`5^oDEBMp>xFd_>}2ATtC_N>7 zZP*+$t8IU-d>nkAh$Fo#38hq*uYcA4f4T3g@=-|4z_S%V>9q&m0o5@(IJS=>&=vz!(E(6) zZKFXt!aRGaJwHCSD)1>WBcT@vtqMJim3x0gS-bp$R1rz|B2%tR$2gSuB7Ts}^rcwb zmk(rBvGQRc{5#@N6CGgQn;}8$G@yJ1@Rb^sy&`#7_kxALk^wYA$Igr*J3&a;d~-joPD#84AFk?CpP<`blO4;HvPF4g+F1EEt+8)ZYeL_}Q$us{Kt zmZ#EcaUcfsY-@N^y!A`s|B37<;w~deLN^Mp!9bfLR9rEOV*OR9e%ME!QoK6x=QQjb zR$!KMS!R=+TPT0KE`3bsMe+e*7qeuIB19NgpxJ=mp{8aih&8+M-QZG7X{`SbHJWE% z5iCc?>I}G?v)(AfPVzXZa4)dxX=m3Lm6mhqbR^@*)HtHhVml7XDvf;QNU3whu zA-roA-`qq9&u%$_kP~?IRPmcDE%gn!$l?G z@(<&agSUrAZ-07obb9s}b4;uMyI!pSxwXEi|M?`Juf6}uD+Gd0%)D6h8d*8v*go|_ z7oSJ@sP}*W=KS>dyLacuZyuop@Z|TuvDseV%GdwiSk(W1nh#dK9)R?AHOd_B0r@*1 z|6iYQ!5NTdg1xW5_I?7ojqYmHhyuJ=!AW9LJW81KKS$k7N+qW#H8YmWj>fIV@wGRO zN5D)*VE`-`{=4VjqOge~qi;qd)q$s+fLFaCuL6JAp&{U+@G2TNu!ctzrvcYr9b`V& zNEiW=mg#{EZbQ{)3pezAn4}qQC8WimBh84j7ZF36_+b}SXXwdF8FepKy}#jJ{PcrI zr5UdJAvrNLc#-IwJtDE4O0>a2jIjh?%lixL?k;AVsy7ZI)E)V(c)DT14#pYdnO$Ll z@Zb;{e#yA5?OmK;{j;8g8}>+((p^4(uNz#Qm@10tY?`n|&e7v%aH{9HtQ1aeRZf+M zAU|C?TGsu!2L;=S!VkE5R-X2Q1SE^qM&?H!*p%=ubcT2WATJ?!WdvftsE%%WnaUz) zCZNN#ch%tY??eCv9!YLqe03X=5&*zP0r3DMH6sb-B))#%yFveN+9nEYF(p42f*U8D zCFNb>XM&|@MjUtdeVmN?fBm_Wrd}sWcVm^dpG>MS7}=6yO8Z+FY?UMyKTHFbcMv2x zq?X5{Y=9)w`GAUeJZ_H*hmp#xaC$Iv1Gcm0DI-FcH`{U^)mn$y24csLX_FRTBYzze zzzpLQUq1>IcWB{cJu-`b*d0YcdDOwjAt0V$(4kjwgek&BaEEaON=ZV&$LHxqT=wCA zFDY3#>5S0h>{^toHzN?^;OO9Zyg_hhD(YdQcmPPrGb^W@+}<@b>%*D$@G!qtl^@9J z$9{eRh+ExJN33ReO8gSTYrR>34u250r1%eR3r!3(Rm$$sWdCj=E?u?zCXt-hpbY+-VUTa-y%yzk!2<2M)*Y_lKBW zS_4PlPd;$k;U)ZT3D&gP^4@Wo@Q|Rk1EdHyxN0sLx}g`X7X{Z$5_~xb!m43E@RkXO z!@p32f%da8+;Z?CU0GG+Lx0tT(r*?sFEyJu^c6j?fB8@R(-#Z?mx3dy=dPCm3*O2d zqO@V1We#mquv;H!pxsCA6vt13Yjh>*aAz(2imzODw6*a`n!`++L-dF!P`RVYtHEg%WzpdfITl{azmtNAu zYpTqHxWFb+QJA9fhR6#%n$9Q-%mPfp%Hjd+71oC5&;;;qHj}>By!DoN0eiH9rTn~n zySzI34?YcA%zrVLYBuBxi8PJQ)n&p?5i*3#BcUaZ3;7_g;oyFE8-!`tUmtl{v)d)* z1hb?tAzJ(%Ww&^bW;)utc|)(o_u>JM2IwKtbE;axHoR8ZbNSl)`8()U>UV;}HGyjk z%)eFujlx>5fS*LwbQ0(q(VlL@O>pG#FJ|1~co??g(jcD!Czm8XX4c6?w(*i1KVJ%*ORKfZ**G z$Q?ATN`sOPKvph>UuG?OoU$Zi-NZO$*&8l|t@2!nXO(miB;D`Pqr*py|NE>thYyeB zIDbBGubVEE0WDSsM4p!Xl{1?r! z^dG5mX0y)V&wJi~z@1Y$S&#`scBYmL%+#*~Yy0z(_Ybpr{KrpdV3)Gv+ToO3JwskM z-nLLnT9=w!tyn{W+<(k<4Q;5wAzBue^?wcnVAs$Iq8_19;%`cNt+5KR(>xf-IYgBu zLK+zamQf@OA6pDmk^nSi`>44s&KV zz!{`1p-DuW)}9Fiz%5tAjSS0pr7}1F(q*qo%mp1&(US0{mvPJ&Z-f@jfa8x>MSp#y zTs7#nwRDE>F&>f6k#a`0p0f&lVSgpoLWn~FD=FaKj(l7s4$3|cslHUvWm>$ia(gm{ z;LBzce!puXV|D3WNB#|+=K#gTKJClzl5W;|{bWlPpv3+`#yz!~goPEkRAIK^FfN^& zxYXChP6GpP7!DbKPiI3~jmz;bmw)V2gIpzLJsWXC2i7Gs+r_V#Q+DAcQ2K7E4>nj; zWj@J|kVR_N852hvT2zv6mr$$DMrSFRt$F+_TmqclGGRR&D+&fTS#O0;<+7RZX*ooT z6C&Z3NMVIAheXG}Q(=S1A_1}`w`CQe9Fv0!!YG_zK~k{^XMx9W2MEisN|^$8+JB7$avUQtx+W)Wx;R9Fmktg+VnGIw=u7fl!=PG>c@qIA zW#d49UN>QK#Kcx|VEWBY5)!Ha*D)$w7F;173SAV>-U#;KAzj)2W zd)`7wZsD?@7dxy-`=3#S<7NJ~lWvr}Xqq!A9k$3cX?Pr^i&CNL2Fw!CI1r?6GG<&-wg($PHiu?&4fGPg=99b?^zn zj;_voZt`2BgW|WgNp+}6k?-j9HQ zHLVmcd&-Mii`57ZwO{=bV2$Ci?z`cCoxH!=J2 zrUB3wUv$R>X3I}Bo1{2&qcBHWm#PG%MD)nAivI(*g@*Vz`A|R?z<3TaRHSGyVJ!u_ z@GB})Mp4r7pmX4700%c~hdQcduZ$V0M`FC%L}mi?7JrD1TUYs8%4=DmGQWC3rx$xm z&1Q3HWjfJ$&T@qJXK%d@#i6;2qz3<&SkpV^PCIg4fru-45D*@Pphs63Q4TyduVC>t zX*Q0?Bf<;(G>pg^n*u$8xx|ykq9_U?G|wR-51aH3i~-hDbv5>Hl7PIZ8x2yTvaXJY zBX1DPW`B#mRC z+}z!0=lwr7*EhBo{-00rIf#ejgmh`kofV9ocpPCc#41Rq9Y7?n0#AXz}NY)uj#0t!U#%|hZ z!DCSa)>xAdMtlcDAE37#;OVpYI=cfB(!vF8UumU~g$X-kVs?(^|4E(kX~BP+?t)8Jn%^hu;L7KqA-7~m zw_ASLGcM_IfbKbH*TDl9jdPC^>0xM%y}up?cxIW;nVbCB_1SYe<6lnvP_f zjs!s6q?CXA3FT6*G>-WJ1maUXCUZ)1Vt&hL%x5_nbtr6XxguslGgIoAzEeVV{-*xj z!+3padu2^rfCCIcCHFkzwlo^BJuEQ3rYi7UO^?B7=;^?kc*gL=69QGcP1vAmPfIhHV$if3W2Qw#siAM6sDu*#eFo`34 zAZkeYid8>!zM+~}>}k@12@TA^f3puq31H|TRaLfSxUS}>X+hE#7sZFL?5}tn337)C zO2o2A;UxTTA_o-KFC&r>Nrkz1oR`VJ2~^2#dd<8?Ln$P_D)DJ-8Hi})U5FqBqby&o zAluDVy>TF;^1BYN;lPG)8>GV6UjNq>0Sz_MC?jnuWwPq|37dMa0Ez)Pe~=P616wOZ zBN4nvr6>6Tu?fcn9cUFJwg8;UzX=49PlCgs0V0M?-tYhzazxBR)NS5{h)j}r>_^$S zd7T8os^V)0&EO+CS)rS?JQRyg@tvb3Ho{Z~2&3#@hgGl`9+xeaMo=qbt8RcH1uL3H zO+&a8Zog_GNmlWJS$yBBe;$cm+!z5R9Y*N<0Sme&p1F%TDoM8D=o5XtR3b4(xBM*C z<2YDTJ1S6VPS`oWYkUHJ8lt@&LERzxjCss>N~`O876bS1#QAFy%O~nkMhy?SYDZ*t&gR#lTIaF0M%r&;J4K%KLPW0S({6G7VH7$> zbhSav2V?bdkSwSjQe2XC4Hg!; z76NUeWc-3;nMnQ;+TLU?l>-f#730#rL>h1jd){)mf~b!b6~u)LdJ2;+J|;s_h4lr)thaqR4cJ z5vN1~h#zayx}%7(^Of0nX0wIGcHmh92X>|fKCSnVEyA0#*MWG}sTnO46!je|<$rYpUnIap&;&yCEs*m8d7^KiCdlUh zXzVj(6y8LEX|uI~|Jh_}51`LBM%_t?E+wSP84j^LGNGF-iJVPC%DWfhgV{vB^UxwS z1Vb!6f1%(cE8CAEhai=bpAwCNE#Si$muW}|)+m6UH0T~PN36xAueClMI7akJy|Pq< zqQX(Y?~*?3O+DDR6az!TVdw&Qe!)U%ugl*%(nI`ipujIEpPR3&7vE_u?wE|A@fB)T z$fI*Ou2`^yx}Yy(f5@Cvgo3ZawM9kfJ#c3(gr8 zQ`t`SZK;ao-) zdSjtUyxLhzRjck^nZHTRO=PzG6cs_dQU)?GZi$D5`AG+DNBV1k(+XefT>GeuPqjgYMY-Fu+uq*OH+G9#N+=N_^m1Q#y9w zsP~yGRF7-l2p8vgt$9?^i&0UHe}UbIK;`+wiWc~ow189MnA4L)t%64|!9$;l)6=Qy z-06U$Z%nFW`_;Onuk`R*-plw7eT`QQ1&Q%BkcIwfkU~!w|S=Q51e@3LCD3hg5q{tsBsa?gMcX^E|uMrcXbxAkhAeN?!fKGC* zS~sz)8dCSjP?0Cil?$9~!6puk3=WE8752#7jH02aHfwkyCHSNmMePQFmmTM-M4w^g zcT~a~%#oywxdbJuHg-f?wpqxu^3ckZhDU-_wfmCVT@sVuhdcoTObg~rSNUa>EWJTg zSPB0~%PB@ytZlwadf~bN?_%)A2UL)9>NN@f#DQqlq|^kcle{||rp5rd-I8QXm5N$T zW=R7pF>YCqtFIki8mjpU`gl?%3amm~)j-Zhm3VNIA$J%PK~o)7hb>9kXiyNcsAwXNv$O7#Om`d;@^R-+ znl>&}(B6INzG=H*kWSo_dv`AnoB8ukcqPNkY!lZ*4|SuHxpyoa#z+fpsFmLl;~u3O z50a+%kH|y9n63nnxO}~WlL2@a3DwHy4~I$TJyw$;coP@Tx3L~w%w~(jJOkv2L;^B6 z)g3wYw%L&v={*0(zvcFliheLe?e0o z0Ohwlr@(g%W5Th3@BBbXHJFw91*9#NqgPD+N>;5}q4rO~;m$ZoLz&we-AN!D!8;ab zF<~%S09qz}6tl(FV_QM&Gm;!AsHRi*V$4}=8Y6{&5)Az?QRXoU50zxCoNUzrC4JK% z38#ST$Y~ryeNwc;pjU~BBxBREe{ERCz-bKiFWqp+RUjm*WDydXt0Okg`q3;8Ab;1k zo#RZelpsN%|Bkv1fUbr~XVhoKg5ogbC-zr@gCodPt~wbeadA}*gWv|_IkaM~tZF|V zV?JRQ9)6}dQB(PcaVCe@VSLMcXVE;XtY`{zVTQ|4B^NJ0h z>ndyS(kvbhq1P(W=Mm*-0yaw$M)yHh9}PM@yqN37KbC|ex)w^Hm2{lN(*j6OhcrQR zHDqa*`*4snE8c^ydbBJLf9XnZEF19P@**M!#I&s1&_s$}<#5Oen2juZO{GY&elvQe z0ns4!OE>^=b}Vu@d0r~U1_#s*0v5cvIw8y6=SBXVmUvQLx>+n^9OTk$`57Ig#q~U5 zi-ITqSM0~;Zq~q$Mi(UzBnnDOzMzJ3rF>&FQpZFnvGD>Qu;Q%ff6eZbPE0dfRB1}` zsXJs!4E9$ErLbm&kWQ02N-_n6zO#F)R1jiX4rayFX6#Q)Ibjmq^bj!{3bJ?#SLihh z7_TAhmmIWSBtrp(-Wmlp+)b)7dpm1zD5*~Js!Yk45e=?4YsS}2xn35MQc|V%bQ&wm z^M~dq=t-C_@+~;Be-tI0h|Ojm87bIYCS1xlE$=m8SzvVhK@g8vSLj%&9YcJe)1VqI z3b)aLqfpNE>4-|OVJtw#te1q1AfruOr`l%0xB&m`1yNT7?9m{=_uC1Wy6b17yX(71 z0`<-Z3~|;Ia@;&b{YT`+jNM{Lgd1=bGR*erBv{6*8^VXbWm|>OKe99?2D;5+%`}%ro-5kyV}bMR zlU0350_2sGpnV(-*4FyG8cL)GQ>?+{Ym>=+9e+V1Z~4jh!Xz9-LY8&KQcnWob!3-M z1s-nU{Wo+L*%eg-)Y7!;*e6rs1hd^4wBQ@fowlxayS6ta8%Hx^W2LNY%51EoA}rYX z4q#{YNY+`QDL0}tuO4@m-HEQlffWom1?mXi7I`E-!H4rdU{w|b@yD5CO8vi`&F$?% z{eQomMg6ZQ`J5k}onIWk-v8m~KflfA^Z()P+aF#XT^yVq9Ui?oKi+?JR%p}uTMFFs z!K=6L4$lsMyf}D!dUSDe`u4w%4$hsn-Qc#lv9+_^-fBFacx5OUL?*-cuQ)3ULDaDQ-ga=!oO;OGK(0gJPo_QMamP z@XW2oyEn(@-0|Z3<5%ZLr~mow^VZkT8)kveIj5IeYChk(r1@sDfVyOzR{ho6gZ)<* z#r09TBb>l)O>9}?$KyAL7YDE2oxwsb-t512u0wbE@Io^q+~da=XBY2}PS1|tzJGxZ z?bgOlYZF^@6eti6ydN(G(Czy~eC$-YEkNMBnYGiS{lnKst-eHPqN592kwLQN#!Vh% zuklC9O~rpTZ@9L*%FgZmS^dSoGk7#`iYAq(fbRe07NDS_2buTPvVp`EDoe3^@b2{R z_;h7*WeU|wCc%5Q=AhCFGy~R1xPSFjWd&1B!JU_2g(fdR$BJiq*?IhFTI{#y=@sz5 zY-q$Uqyd-d(B1I1O2G?5s(w5YXuOGId?hN)Fo+OcQD)uxXyie4Ya=)7UL(8?e({#S zS}upjl~siAmBt@Ql>oDhhE0MpYvBO`tb3eQC;2}ce{2R`5odh+)jx_~{(mOTOECxZ zDE(e_`tjX&M+a};e1H7Ix7MAsFctqAr{9 zJ0-nO`Hxo2saIv-u$yHxU(=-;F$!KQdx%X8sWW8}?PrfVHpw zkzc@X6{n_8R~?-NclSOu1I5KdD_rN^ybk4$`hk$EhUXS2v43X6Lx1zuPZaL2hG=Sq z<6U&3kn)jwO?0|yQr(W*AU{n7aH1Y*o=2=OWbuG=SY^-Nxa#HX0GF(_Z4M7L?OEx{ zT!zfSbTkAmN`^_jU$O8f!00dD(*OGE9|flDx39ih!rYkuQ~Jtc)G82F2z|$&@wf*d zO7F=?7PH3qr%4*QvXkF|9DgyRg*3~iVCqE%5Iix5f#vU=W0Iz7tCQ9a2ej8{v`${W zee;(+&tV@6ERbQBbh)V_K6AjxeYRG!!h0={txqj%eTE;F|26ynD057a|2H?e#9MJrtVXz! z&WT{1&z9>t_W-1zK~!`mN1@_yFYn|BjpUrwSla{4X!XHbm?vjb)|m+iZ4s3za1s0T ztGj`!&XCj4;1hKdjYgC-Q7z#Y^i+u35E-e|t2FEHvp-wM`r@*r#?5-qK0g|(cX!q! ze~oCCNZ!8HZyOb99wN9>Xi=o>Rp&W|xdiI61i{=V!UBMgMT9!3a~gKF)RKOZuP3-Q zex*ArD(i}GB)a;ixBgw8&g=Qo?r9jY{V^qWA?qs6Ipf`dO}%Av&|uXm z8Bj(-iCbY>ok(XLWR8fjDO6#ky4PuIdC4MlXWfIshG~7mLIO_DR9nQJRRQ_?3HlRV8eXnr)lMj$*sqB)1%+Y4c;GR0vWz$l=HgAjVwGMe(s>-I4|y_& zi2l>soN(Sk(QA4-%OYC9CfqGDAU2E|-SJiKxt!PG=K{{MCY7^674;WrV+Wa*%74@F z?hD!Mb_WTqJzzRgt=Z%H8Cx7Nb@xO%o{Ng_wE+#xP&BBx++<>ZYAbm&=Zj$PXDDB9 z*kL{l=d9WetQiQHTDeMZ0GE$7Zn57Rme&__FTG_ihL0dTpdS3M&#c!Mhc^JWVf77O zik5qJ!zaE62n*%2Yx6*xS$m2-lBjUEYO4Zea8mRWWxAC9#10C4fB0>XhaBPub{yS8 z5P*!PRs81tSW$IBCEh`tv9h5(X2|n%R|#30P;W4^Ixn{2Dxsnjky=TMF|axP98?D4 z#T5$0mK}$L#vY2YDwbb7zJL#gd+3v!wMeNU=t}mJG8b%!hwC`@16f3!NoGObWB$>) ztv5YB>Hbqu^>ZFke2`>pL(-02wLLw3J>c&8{a_a`X~8kWMX~?=0L;@jj_|}>bKoN9u9;_g0BkB>K7Qku{C96#<}K6J-YnN!S~W@ zEi11ezTNK9d9XZ~qu1xXg8AhF5Dr-jP^`FMO}-z$+MZGX=%V*so6x9*6$~(q3!Kvk zgNK&88p(Z9ZzilXHE+N=!~*P|a~NmqlCIoX=LD=lO;^mc10xFT9#u1RE~Z!t=Eg1u zj5kmO0gW-C>GYp;BJLAer#AhhB2GKsFLwD0UVg?DA)_CgZOLJZ%ez(p)xREcCs&gr z*%Umo05h*1DJb`W3XC1OQ|>Zp{DtC}MkPuaOy^@2D@kPMeOU8UjAND^I_3TgRKDFD zQLOyR<_HDX&P2DpF31ZH##k%KgY>iyi16>v!{4>xZa+$WI%uwyLnLCRXSg5gR#^@! zzAMw%M+G8wlkITP1@aT%4Tvgli0-e>Ku4*vLeoKlrR>@~ki(v;xQ%+~B{Fz@h|PG+ z39(LL)2S9xg6~BhVj_!SV&bdFyzIs^n##iq&@)nSXvDfAP22~Y@4>S<(Uw{iJ?=I; z3&U!lM5bpy#+1=KWLM$o`fkNomyKow$=V4~Vu;nsPw4#NGq69v8CRmn?*^yNo%=#o z5mL55GATNssRG2KAa4!__Xwb6ZD5>M;Hi^guC~3X0&Vn9mivJRv9R~dfIR9e9elhm z?x)n%yHRrtel2z^RpJct3~Rv!Z3cA2{YG+m&3-~kSULzU-NOGYS`n1dJk7pIMBp#q zM8yZU5CNMBtZoJnq@Or)*d8;joD~4g&4EF8o`p-Q`diTEz`sO$1}BkB_H4;k#k4_f zmMN2G(c?D@7})B!QRwJ2T!nqp4Ech7E^&oPc+k5=(qUqhf$Jyppf35qj%a&y2j z8GrFk?LWr_Ekl8N%orw!XkQ;ha3(L)3}@pSsTOJ_x7hT#+%|3dWPBp{k1ovle0R>}>xA|DApH#^ms1U#cKw6c|8hzp0}Z*HX&;+; zqfoZ{73f1xpdw89cV%w(m+U@psP_-I!bMAKK3B74Z8&$VaJ%2OQt`0Q=8bBCRm^LC zG%zr38ha1${nbo(MW{JeM18zCBQSqREWxx?^{vn7So!?bEq)29+50)3o-%V@+AQr^ z`T4DH;Yl$Q$dwMB8>n>5b=;6urg_P9MG$JqQn-oupXAIwz;BjKlwmX^9d$-|%bKq& z%-Z#!UFApCX@_F?r?WNar`7d*#65`Xo}fwmr&mcwHH)ioAC}c|3WfNV%kC7oS%eo6 z?rghkqf8w&lik@B)tD3Dqjg_wL;f-#u^4>5-?@TZvEOkkLfL zbt#|K#<~Mqp2N4x_fbhW%R*sA?!>qO{`*VykC8Z0an}1uBSKNw5b=#T$Cp5jP}#Zp zS70C-#fPxNWnds3mE;i?EQ~RLfZ89!c@9v9-La?`j)o_+D)1xA^l>zC*Gxgy8K;zp z&`hWVwecRVI}S9(8bqb@l>)>$+I%aULMxbzHatIw%m3`4AN$4gyqgdI@?rLK?U1e} zqXWy3w^+9o*#6E5&#ef zE@Ze9MjcE`0=RHWo&r|F(@QM3XRsRd%y)CYO-S~cvj2hQ z<^8Rv)H;Xj%rwIrocVNH%2^thfA%>1*MW`QH{f*qQ#$K&DO$MJe@;iPb$zc8=X<}m zWEthRUGg8wi)SlfS}Hoy$^~aX)Bvb}%9@FzcZ||eiTEBTnY`Y6bWlS1bXRtv@qcSqQ*1yzS_=SBXu{;+?$P7>63}lBMUP=XBbV!`cTmQGa!Yj1!8Q z`;9)OC@3C7UV`F%v8nQQQmpIwY~Sx-F}fAp!c~4%0>m zrd`@gCNrGormgs)GcaU1_=Y5&(;*A%EP;LFS;@Dzx#I58$f~FRlokX)D%L9`u76r0 zUkezFtWvTHE5K3EO+DnxffEKz3vFJ%2jO780KK(KcJhQt5eBCB6l*>JpJaGw$N3vJ zUMQtM0>|xHB0sTJR5ERl&I3kwRLFRtPS>=KXHdTNM4Fgo1Dogwa>az0vO|S`B605& z5=Q;{LHW+6VDI>T9_Y_ONZScw^8l@vfqC|4ekLv7E=!92VVIiQssf&%sjXjyG9kb0 zrQ$LtFRY{vA#$v)IP~=KS#uLzih#oSW6{6)2W{__hii$0MCDy_0W=MN%6lF?m?%V49=;cm3DJDy5YQRF>_Z0=5r6; zPD839Yj%(+_2)Kfvt7r6Cg)nj1yNS}3)%1e zm?5{eilc~+QKsxyG6sZ!j$VE!*<{SxT-#Ini;en$zsV&0&=7NFTVLMc9K3?raGUI{ zDX9Fa(dzw=Y9;2hVuns(6E(T+qEAO$!z2(nGnwH%{e%n>0f%f+O%HIEldk`LwfTV^ zCj*NK5&mI+#{=o{WQ+&x`Vr7aeaz&&_lOTNI87!h_!JtvbZ5t64DX$^jc}#BStWm~ z$>w?!hyte)(nMk>o$f5sb=>eoZ@`M5o>Eor@!X5O7Lud3s;8d=+f`MpQu2q)48irW z!JNPgR0|dZSb``We{#+;`?1?oU7o;86uyiTH6!rt3-2ENY{dCc_qzXS+D^{%wSZLb zWKS{|8m9)3!kCh;Lth53X~Z^P=-4`@$!5%;t!#dja9>TM(q|ITkV zKfhDzZnS*b($z#X2~;MCYJ=&m#R9{N^}ZfA??2KGTO`@Bhq%R50(iTjkKKrPAM^m? zkuD&QX4x&U5ZhkTtmy>*J-+G9CKUuB5C%YY$-&I-#f2;Kfcv)c4BJdf1HWVdc6&=B zcpVo-zLhCujIH|y673#3Ap9MQgs9@~k$sH}iCY4kV}P<5?5{jZK*2uBb2^((f7VWj zoFTEyh*LKY^6%ds(df3?ZpmPNP}=IFPZvd8d;z9`cXY7|UdUZicHf~5ku-4DR|)`v z@k4OOOF!wUezcdvaZOJDPxf*ZtF{Nzzh6yl(BGin7eC}W#3WFKSA5|+EZg6o|5?}L z{1>Eqy1c@g1W|fF6mUprxx)>|{x$Ry!gMU(Zk+ufL-S$L!GYs$sGuk?#12vE>EOam z&Nvjzooi>!Mn~#4o72UAq*jx@2OvfVgupj`zxNsJSH&ps+D;ehJavL{N(J4e8J4?> z1-opRx2Or$*Att~0=xBgRtFk{l~kwmCglfU=X|hn&fE*kR@+SzDTG^RCEf#{NJ1&=MHHBB^841>r!r z1HP3+)`L*wUoGaX&vE4gmB{XCQ8jMi-%opHkG)L@qJBCWf&EQ0W`@(_)0L4*t5<#d z)D?MaroAJ3z|PB9rns8K!)r_?&im6m32lnJm}fx_EUXu}1Yf+Og`^loN8p7l-hLc5 z+LYg43&P3&!U&|?*H;QK7-RQ8rGkF>iV+r;D>2gM;}?fI36CDMw#SR>;sFSb$uKeZ z()6L+(7Vs4pZ6Y;J@HaN()V}%g3z~`Pg3zLeCqnsMaihcThs0tMPd#eg!cc?bhQhO&;a9G>YyYv@HB z0|T>viHpf+@$r`>T18U8Y783qU?;ivudi1L+8hBxAP-bKAgn^@zUOmM2T2a`4knlO zv=Qwa#M*^Q-K`l<<4pNr<%kHWLkKcL*`3%uN7ckqBqC2DE5YT#KVcw|i~0ya zfSW@@5k4?$z7_lrEQiQmOwlNSbGo!{9#k9^io3VgHCX`J^5BT0VTh_j>#5!3Enve) z)IL9F=xfqiXvh_`r8r5bFMtFAvoRq)OB)PifB1z25J)~YDcRhjM9j)$qftlepHz_! zM@qdQVjf`L7IyYuuDa*%peCvhWO7Ys>^RM=c-=7X#Jgc7myeHMiEnpku^f`O=P|aA zt^)t6{#^dRS9KzvHI`jXB|Q*dZmXalSuaXbl;N zy(_?{6jxcHP`WS))K|M?@(b~EEL%35|3r%z?g{`h2mL5QPbf@~GMhp%Eu#jYpnTxb7-XYZ z1K*GHq{YoE_}P zKMMs6Cgq#MO5B{W{4i$ZEQe$6PJ`!4WE&T+F0vl{q5^!3gn}{6es@Y+z{2NiP4j$1 zMY8^Xp<|Bk%LCCk;Qirgt{7o8wfbOkZY=14Vgn`VL~8y@DbnF%D)qV z=~40u3?^y%?w0vsPbyAM$_Y>2^LH`=kTjsvf2vULlLRAw59#D&}6t5ZO;(FTt zZAxtt;5nNYSe3?EKEDf;F5!3rS{VY+)FlHKL^NF22fcGAO{(=xIf6_Ku^e{bPaBid zYiz3%m!R(l`{IJG-LnKn>>erk$b`xQeY@USQEbFT`d)qbQ7wk$kSKG8l!B`tSh<=h z>H^A|9aAy>*g^Qaq6t{4T`belf@TQ>OZ+?V2CJwF%I4FzE;~WAL*jW0&wB-U@Hx@> zlcq4=R;`d8;z4o<+(zK9lJqZRLtetE&&sBEDr7yx`0@rHN^+k;V55Ymy4oy{UwBFo ze#)0lPYsJmdtRyFbK_P(`?Uf~EEhgv5$lO-Kv3j#XhEFe4#173nRN&u^lZ`kB`&0} zN}6+y@vd*{YCvk0Z`V#Mzs3Q=VF=jE@Ri83n!wsbedD6Z`!<+^O7mc*r(jHQlMtZ; zU`1K~wxY?4edhZo25D5=^Mzz)X>0Xlv(t`La`>-L{3Nb( zhv819wQI-A@^DqH?=7c_;zXLO<8uvq?7av<1i5~S4wbfD;+7(R5R?G0y%9|Z0bjZ3 zpx$rSrO$Bytl=RP`Zlp!A^pks%T@}@n1>16H(h_zh8QGK@J88x0pMVZ{SE3&7VTbB z1#`doHG(&Vv}aOqSZ9KHK^U20P}8R%H}fDpoDhI+?a3eW{Di=p_w?tx>fOn&zId73 zx$YbkCBUZ{2Ju*T&!qu2e4it_st5Wjx;H-5so!u8AF^qxLszJF7Tjht2aj5eOILK>xxG>9m0| znSlgfc1S*v#8sHW%seL%B|-OE%$6@y3U2B8bi~Nm;kYlHMc{zC=!qUJ2p<;G^~<6c z)TV_rilV#dYm*6>KX|zL^t^+B<`VM4VZ+vk2)IX^xuF4s4Hu!k!2&pecdL*AF5V73 z;zkg3LC38_9FstW%V59mAOtSbqTYgJl(49=;hz>bZhr;Gg3cth>!I zMQX4*pgXtgyb_<@-nbon-FDomxieB+@sBz)b61|TP~r~O`N2)4#RyRFW#o5Df%)wM zi<%FbzL%wQkIcpUI3DT-s6-8XVD;RSJS;vVe6GK$G~gKl#nG61)zCWg{#Nub04tdi zHcvC(A_RG;gp3BlhwELh~%?rs?Sm z)l0}d_)2(caB@Y0P|CfI?g8#?D68GL`VEat>z+D|^Z5)qej!wqddlB}=!z3QT*L~w z`{lB=tE}w_Z_D{m?yDSWj8I9}&Ah*l4JA!18*mW1ZmbF%+E;e<_i)c2_&*0>f&C)t z`)8DpO$BC56hU3gq!t^CgMkv{lr_lHw2RU^Wnwb)_K=S#TkVOMQiTf#9f@ZFxBL68 zCW3-qGwdXjd_4t7^bCm-?oLjuV|G-?8&zJw;?T6?L#UdkXzFir`}w1 zz~oVl&lu9V!om$|GpN#Q!MK7$M5I^s=<|9?&Zz!KQ``@VK}xDxXSu`bS{m>85)dN`7+LOm zfIGM{s@-ilrkV6Z?b=NZTFz~)5FK8KqD+uA(uhi7RcOhKy0hfOg{>@jJe$Jor77iz zjeqx$D9j%od?TC@AD8o|JMUfJ;pSoLEkNDMb+2blGX6x+kz`^W4>iP-y^^E0=t1% zpbq+cPmKOGA}l^JzG>-3w4sOXuqCUGKuCV}x&XXhLHp()pL%DK?) zVd}Z*pJ;E9`6l0qQWH3U&^AIzpw;ax`XlG+=q@7C(`(5Li!`(0JZsgk1K&2u+y(V* zRfOkjKj@HDl2ILAl_kd&xH%O?_Ti)2*G|dW+)SnpAWFRvWOgFMITMIEKc5` z$?Z8<&vac!M|}~c&bbKKUWm7(?1a$&GIPUYbWS)v@Pplu8K~u?E?-+y!z(J`orL0F z8`Z_lupk=|&6Vce&!IIi__&=q{4+0ElACQv+pJbf=fPt=quI0!Ky$%O{MKNGguxr! z=qF|h)QW#zP|6kJ2#1eOOFW0L7p^)!t7LPe->+ah7alSluNLK^sPX#Oy6DiIn#wOB z_m_D^;dc%2Rq*#>2heSyil)GEs5sB$GBQqN8w_k*II4VQJk1?Fy%+=imZ+qgJU-f} zP{a!JbddXiy4-;hfJ6i+EK~AiX)T{8( z03PWd*Q-T-A_#u1s+(0oYq{^Mu=KFxNC9Lue1j1Y+O+Q=j^;ZEY^_f?ToRkdoy+UY z38|}#x~7Pc6LB2?c@%6eiI!{g8&ULXm;0l9I#@T#;HpW9M%HzR?W~pAMI71~g>TBo zG@QWbP$nA!u%(7wagZ+`!aSRjW;`0qaG!NT#%kpdf!ZQts#Soi8nWq;yqo8Z=dcB* zNjnFkN`$Cjs|HRuIFPIL#E#Kd&-Q4ZJK zG2NEYb80z)iS7?3@-RUBR(JisiQggR)PF0)-YKdzP;n5tZ7Q*33@pT`g~pp=O)Sw0 z$F=~;bYa<4#tFo`CDo9=H6%;GFsqA3uIY-#YF>|$@(?;`{>U$;#WS#3W-~3^i892r zF6KL7&^lnB@ETj+&gaS6LvF;tsepx1ouphP2AvO z+Ak`Q+jo#+!@BM~V*1cC@tgasEeT0gr@U&~9dMz-RGYoolv9VmLWSTZ2wn?_O>mh5 zS`W*XT$YOa(jp*@5;jD-`J=>o>TO909fn=>^74x;ugxdCnQ~&GlPnn0Ka>sfF-i`Q z*ZjK0Y#3J$$}*^_gT93yVGlkSTdhQ-E49^@V#Ed#8)d?&$#6T!At)-YK^DKzQWrCC z5<@Vojizr@;M5+B6}Lf%kZ=#)fF{|CiMD#vPXdK5RoehWZPy0UO_S` zAp-46kTzi_j4S?<%(9BHhQ?i-XJ1q+yl8jZu(NGmrgXPt19U-Yh#wF+(L0Tc31}_}h@Wy`B#`un!YbkUYdAB1_t?5C(6+ zx0waXjF5*gCJ{m1= z%WiBwr3x~%Ox)P_I?ZWXlWr`=sHchy+O6Pcp5FWp zwCl^%2b4CKbE_lj;`N_?22};;KRk<(f$(ALzNy+0zEAh2-+soCkk>3m{I)d$>a0wi ztq@%XGVZ0TTCOZt%0D&YDm4Y|+U0bh+MJi>Gzvaj_kWv{;;L1t123&SgNc6E;fChE z0nkqA`9{_T-L;7-Qxz5(dSu43xhbmWTlvsnzmQ^DpgqmLiBi_Yzfo7$&+}QYM1@ed zR>rVxjE6xvV_egGs>TX`ge_uQ4EJK$Z-2dMrfaNOT`;lNd$-uVkVZ4zuf+>H}JXZ3yWdjUi>e0?{!{w7dQW^Ko~Fsf_xl8+;%qM zbuae@EuT1c|3?+{0FEwF#_m*wlX(6pmrei&uR&GVw@^lz6grYmuq9Ho2RTagZ;!8e zaP9|G^^uN^&%D_ZZ2994!~<0?7|uR^>-Lv?v>X#t+Avfh+*>n4e8}75v|*WV#AKqcF1K+AoDC*Y z1W>nQWv&yol7@t8Up|-U`GD9bhHO^z9m3lPP4RC6{XuI$TXSNP#oOOC!qi)E{G@WP&8AGTq9XbF58VXmLfZ72 zF?ulm+15DZXeR5;fP($!=e=Ast6T3#%XIFM?jWp}N6lUVrqKSEK1LEOCuF$SBCR1t zpI^7I5{0?ywKpP3aU0$2mPGtMYG)b#pK)+S$eIXJLvBOjy>aT-*R!w_?4Rz!0NK*M?Kc$c0hkd(_r)#j_~>u6G2+F))Xf0jnfkBq*~+^yB^ zau`$h?ii07?Sv|+Bajpdo@_>=_gW5Qc_W?5D zy?ZLmIxu|VXX_otulEyM+jhOPLleAMOYYq)xnwL*S-|+E=(q9boHZBSl0$fsykfub zG5(RkXWsOjSnWe8LPfH@bM&wi`SWy>VU$y&-r8d62q{*rl{D%FUr*sm6Hs*()c0xHZ72Mi@;JPZQIsjiD#a#S^|EynPQ-yae~(UD+cF) zXp7WKat@2_7)h(Cw)WxJTYPyON_g4VR*c{w1)6r!J%wymf|}MJO{>={ zfaAcA*#X&MagaB9Wxu_b#k!#>FP{`-#~M*5oU#sK%62^wchixm4)~IPQAT$;X&koN z?vFJg#*cNbudf1KKDX9PxXq8Me5Yh>`kHP|3N0@VfNd*9aXXYP{2DMRWR?(d`i1rT zFBA0os=dvjgyab~p-oQ1`t62axfOJSzGmajV2IcRH_1k~I6FZH)Pae+AVQE%gOwqh zEysn);hdQ#1r;XYUqEhVAis2z*mg}ttVaI=n+I@_9aT`?^NIaNP0Zia)dLFs$@@i| z89ah0;i`$nfw4slwQ0#U=TOKNO2Amd={qmxBnhuN%vX`HE;G*^_5{GkcpytQKMcja zZg9xy=2z{y+cTI-|DWoXocMxwBs=Bh*18iu{`M`Dv9_%S2!PamRQ+g@;J`d^N&CtG z(?Kf4crx=pHMqFx92H_J?G}&hFpMMo?-P9}`W z2Kq-sUFP3V-G(NkS0D&EWEOi-8rB9;sMz zm0lEqw;_*;Y{0SmDM!pP?xK52$X4n_@p-qjg7rJlekBwzM_ezgEsDYnq2Qs(&}vy3 zkIbe@G3V+(Ur1D`;=m3!rpNE zLubARF(6dIF^2LQ(V|mN;D8L4`ep?y%VypO%GXqjkiel7B-3RB=r{bNQ~orP*Y26e zQh5CkV$e%0i^)KFTLDaAGd_po-N7sw6DNt(?sx{Q4dw@W&Xv5rpuO~ zBml=_b4;LTzsv5?yp@8Q_itdqX`~$#$U*npeS=YV$O-;QWI z`GQf;b}Z6V*nlMui9NzG=XxHbpMB6dF3G9(EZuavF1@l`IR(#(n)+Yw-?E>wo^R>k z%dzHXPKk)P5wmGWnnP|mzS3;MGTOTdo`C&?g}J^qWcvPrv~XIKft+$x#-PxQ z>P$QIUgBs&@>@MyDt;fN6J0Raxk1&z7gDcsnlxzT;v40gyxVXgYsVhWsA;yBYa>(=oJZ%7-DnvawU3>KJfd-{@a zN@aY!0p(?E2G8&KI_jG@VL%2_?@!OFzq0=iGV|Hh`nv3 zKMTOUB|M>1Qi~&(`r9~N{g-?pDy2zdDm|k%@e|Ry@B_I5oX26qhM!nh079^%|Q9MKt!vWC{=NIOIZ@S|Du;sf$9<3Op?O;>x_1oxxu-~ z!~?3qW2B|<*FOyo<222Qu=Ely;$M64G-KJ39tTomMNw1qW`M;sha#LYSv_}Ms{T6p z9+9u^AY@ZnmMY)6N)aT>V&u*}_9e7&hdirBEml8H$%?7 zn=5=*bupf$rOaNU$mD7!fNsUM}q?HLy_VOooI_eiNL7x+q{i1B7-C~mibb~ls!EQzz?#aWy z1j5DylnUjSCrNve-?pnhyix;a{^;J+M-D*A=L_8~4g=((vO!jjqmFR=YhvxGLw*J< z$d*_XUE9qIOt_rZYh1UT7UydZ_15#F-fRhggR$01b0A%?+|eBoS!{eRq{W;~g$To- zeUWhApt0siXtf8T#+t4;tf>DQFG{9{U>vSTfnm^6%mLxCbDt@wFvFlJMy%oG$(4vt1d%uz~j z#y@`_-W;dC*f92Uk)Jbhb$B)|Yj$E5%MgdA^QNCQ0>3N3Gm6x{kQ~{({;8> zb6{5#5Wcx@hgi-`2q=ri550=_^2kq}8vs{576Y89*HDf%>4bt#yC=v!mUl`?K>T3F z?;J>4#{>&fckc{sf0wLb=*$aZ3aY**C?)Hbqg)82)vFqi%aWMBRffX3T?-0GFs7Ou z5>#lLR=mzbQfRFdJb5#LW920NY=_vCIzV`^wx5c?VmTOSoNI&uv4~L7k_ZZPZoJO- z(g0BUQVwPP>;u`AU=ID>SL3MA#PvUXU#$m94%?Gyd336_cqQ6~LI=9p31i`7%2PES z5vm{kCk4CqYHJPF?;7F%%1xzlTy{&Z1QaoJrAYiu1GxIO!u9!=RN(j#M5fyUPShMM zl(;BObz!OsRqR`T{n0*`_ri7^?I0kB9s`s@6=J@it?v=Ul&~d8RTIydC4=EdGF+89 z!8p)LEe|zw>b095=*lnWt4Pf#bjqVC`7d+Z=<6m8TG!+&C0T!oN1Em@Jlas-I)70& zU$&SxZk5`!O2MjUfS|*k09nZF3Y8QD{RLVbZ0DD_>1&3eC~IfV6iG|)s^A4O=muCf z=AQKzZ=ah;P+(v7B$(bwnSy;{L*LF+~k~}*F9SuI4$c6NkkwiK+ zww^T;i%b;_4lm^3(Q>84sKgcplcP0+-&$*}y}j9KfJ{HJ+3{<}*dq=$2bmO;)K(I& zBcrZlYrQHf+A2%4RzobArb>&yHv_&rmbs;kILl6o$1IECxTDlFX(uu+o+G(s-gc8_f%s?uK_$88f8USP`$4 zIFh|iS56ZOFT&#|*t$QFa}JEf`95dgS$9KdQ2(yYs=jNXpPQm1IG{LcLYW)_4nWR58hgy?Iv z&lK?ljsvZm^xqDKx%h;VRTxH2jgaNx=3NW3qz5wjck)YLL)rMG1e0t|UW$>HidVzS zqRfqV%Mr|+R;{*rE*BlPnxi1-o+%$j?p&oqs#&tX%S%0uHVZUC$@vnej|@Aa&o z!TAsVw)}2cb%Cd+jlUo)u1%HN%-ce-k3SFEa~$JMRc*$rP4R6B$4hAyfkk=Nk67sjlYq2kth* z*)FzL1LaSO$YQc?sstqHUnxjWB`)oHD`l}AA;;)PUr=h_iUv7XK+I7xeM0ZGyhn8K z+I0g4(ev8IXjx;dROekv4ul}rf1_}EA9k_G_|fjk;;?EE6elTexJ)A1wG4SMx7Y3p z{9YDHagL`Y%(zGo9m2e`P);E`@B8vxK*B(*BWnis)3y2;Km+ja?RLWuE8hyM+|Dj? z+Sqr^vLoEPB9*xq|5CRcww-ZQa!8a{-#YAHV_rA>R{=cwa`*TJoTA(U5|KyEM_s|@ z2{#;_*sHN~o!xG#HK|4s9d{3ds!TctDQOWSaf2|gk=t>zQK z8;U{w9PKu#5@U>TXZ0| zMD{hQs50)Xsg#7-rMvP-o!B&OX{Wp&mVY%RswBqin4Cq^%p_4sGM7{> zF$;4}fC0>SZks*zz}xP)E|^U;Wv8Vc_xxMEV-S%cR#PF>QVLhEikUUwC|xN>FL?BfNCSUxsJ5zj9?XTdl#bm+xRmONB5VSCrIEvQoPm9V4w(*4N6$jsjjh$l@WP0;$g zEdbs=Jp^6*(rqFdFUl4OL-O_ZH}4q`Ra01&2yc8sey#L%{Ulu)252b_CV}hJZpGy}fjgR3>)yfP(=RIcmr~5%Pxq_Zs|%xm;8pOq4CkWn&o_zt=soYjbDD>Hmg6}Zi4q{ za#;alByQOWgH}n8D}w)G<@iaba0Yl~nUL^B0sB zYfX)y(a#t6?=Dda)rVHzv%i9vUY9P#TwF%}J5E^kT`8O{xaiCzJzPE)_gY7H6s3vJ zmb0N8Z7yoHSMDF!EMGge3plZqm;#|2K3$ zETt9W@s42$pvVq;#G04iM+A)#4xv6kNGDOuo9ALBe=X-YooQO=Eg_~bEu1!sC@Z3x zMW;Ugq$4~vlK0E(7$+`ka2&_GT1l2o%}3>YwvoTbza-}kC9YUM}S9Co@S)hKtr!h09LOi~-b#J$MLVi>+5^*67+c>iGS-%2LGy4)xMW-c^9U6ajw8{MU z*Eo2ArzBdoW1(hZkpvnIpwSI9x*PY3XSl5&9yPTg9rpY5Z|AVzj{f!251n4WdvMs^ z?|0yRrwjl6fclS%7EhkzDmFqtEOd2_4V;;;==%#z_iX%+=Zft%m&(F;j5_E5AM|=z zfQNnFL%iRm2G5K<{2I89<<)0yj2 zx2cnssVwjj`lP^%V`5wAGbNdtV(Fi;?LfgJbl-(XD|qZQJN;(2reR05b<1V%E~isn z)fGdAgBa=6=7iQUcU{XlYPB979-53WEt~uYs}zfxu2L|5j+ySxz1x4LN*1j-1*ihR z7N=!fd1y_$U9H>hsu~7P@_zc)Ucawl^^g+Sd*!dU?|c3C2e|#d+hRD}jBI_O*vm6A zBR9Voih9?y%vtRYFCU1lLBBK*0}X#2ta`TYF5xFOReQ-=$KTu7b>P=RF_jr!V3TH7 zJeMpKkw-VDw&J+9r@DWhjca$_Ee^Wu&EGyiw{_dicBB2K#(SLC=@8FWF+-xb@ue~~ zfQ}dCa^Agn%4Jj?y#a%DuWQ(@-TSR-H@k<;cI~NYe3!BlpEE9AScc+a=TTMytIPjh z8~*I%{}z%w{uh^%;kfC3aVxB&K>oM;{jMbc`@LRwC;zvRYLkDtV&0)8@z9jmAfuo= z3_~|(vY`H-TJ3^7Aa|~~EcaZw$4JALL6%tKS>CY^&YXCLh73aP5CKsDMIa+l9Yjpz zIRLuGCI1766Z9KMLEFSYdPuofbVIo{Fq&f5IL-{d%O9+jr8?v>*v}rv6i+zo4e?(x))CTcj$lARGYQ&=;WV`GhKx(0dAaX zKpXm0$Mz9AADuP2u)h1bMd|zN*9P+G2-O)~HG!IjCY{n+9W_w{ve8`n6e*^L-bOy} zp||)Cc=K5?JnYa9O-6-H%)g^=$R%Uf2JW$k>ad2!^*shJwhigj?sQW-LdT4B&lRh- zz^KO+8NOAo0&)8ZvHWvg8$5K=dNH!#o33TC_=EMYTgCxG2DrzSDb=;1{B8QP0@rDj+R!2?`pKh?J{0! zjO}}%3|i3dX5LrLxoRAtZwwqm5`AUAX%aNx5B7h|Ah(Lq#9v&fP%)Tr7-*X9V?$G2 zffv|u>gWTiQv{03)?@X-FyK6ZQjaO{lX-$?HOEA2)+5M zO+1S=qk-y_(}OthHHq|{kUNU163=v!`unAv4Cf$lGs*RxscQW9+P6hn`7N#4l zxi=F7Mf`vNK+^woJNv!E9sl1(dhz`K7fzv-iUC3OFI*ZxL$2_Y;_l0XoW6xzNzqz? zKy|!ZdVq9<{~z}Dcl>{U zE9n{Xf8cgb$m&lRF^;jjF^AtwefPq+e?-rQqFPnW?@p>Svz0T}LN)}U+Q}uq!@Mt1 z>>Dy+jDR3eF96|lTK*gxp*Wz3<%#HU$HFS@Y|nyW#$%|*#j_>ves^h!E=t8JUZhEL zOTAF4+(P+sZHDJi0s;s!dLnks@*aPQj*4e3k6L;aF>Rj%!>PK&=2a~eSDl|lD6uM9 zT!$L{!4#-PW+c-`#<0xAQ=Yf^h^{wrvgUwAv<&LcnE`U4koMol0L1B^zmetu1(l?J zn$@2Hsl`H)@~x1LiRl7P6kr5MD#=^6PFN8`ah!N3B|asHIj69srbfPEK`ejoF4p7I z!8j!P&4op!o#?l$+$PbmKbuNqSEf_lgm%WVs?f=bZh~|Q3A=&Tn{cV)8fa!>)viba z0hS3M`T}IdQS8)&f?}_sZi_fN^v;qVbfji+m09dyLO>kB0FH>EtIGtr@N!m=A&!q? z&muj^d$Z918nTFPx*uA8m$iSyNeof%61g>e>&-sMESJ8F*OfXI<_kp~GkZOmS@_^- zjs`dBYtR9eYs!a^cHEQ$xlxjYc-cF=OjZ`1f0@l@%xeIhpO!a;;f47_R@dpKHdd}5 zoA>ev^ZD|5aD6tp8JwJ4rD41339yU{J!yo(NBlVKsMRWQ^c5Sh6%T(U<8`ijDw#(r z0o3PnGFd$8_r&lP_?+pJ(}&+DWymQtcR@>y6n73C8E}APUsXUPJ}&%VpAt%gQUrFh zF^ZGXn$s`ZJIUeBn1iuG(P>y_JPiFFo7iziHo3*|0il*vzhd`D!ouRsonyst=Pes6 z+EUIzsO`f0_WO41!xVp(v!0D7bC6|oVrU7G5W}S@XP5hf3SnI_POzaYfzJ|Ca|$4) zl#qd17*;V_IdHMOG9brOL0CIw8!Km*!MXYZ6VEM&SUhta6df=9xeRz5nMy`n0=e;! zOYk-ua|zgngDyeK9`y>CVyU$(16aJM^#d4AgRRqh?O*5h_iA6nQ|#rh+(j4BcqV*FNIvB{-YUboT7o@iXKvlww!&}~Oq zLBUe*?DE%}v*G9AS@EJNY=J>$XVm03v0O^R{&;zHKA5Zs{3Ed!iYq~vHdOIOf$$$V z7sR|G1iBzFkn(?%Vi@FMWb603foFK=sEVO*x2LHBtGhTTnA(@7v813rLVjoI0G*}) zWp!RVRMFaLx09d5i4J^=ek@*uNfwRK6kYQak}YM5w>)!Z4!^M}&8vPLw!(sI)#X-+ z*^_w1fu$%7(pSNA;_zn1B^YaXrf$&(<(%mDBZ-9!a#4SM6WchxRoK{;rw^#ZT|(32 zI4rQHdoZKUp_lAs_5kHjO+vsbypBV`6azu@uX_F8wWxU@yb<2a>;pFl zgqJhy#&UmBY(zJdR2@eSP;E_81 z_m>00P<4SKZD2iQ_RUjlV;HWM!ghTPO1vif_rEPl&8;6<7Ak5R zE@=dPz2->pcEGy|WJDJKuf*_Aq$2*`YxiaQkHdf7&i;EV>E-hO$_)SF7Jsiu8mwm^ zxQS)p&Lr@;r8NE@_YK%w1QhZAZtp<$|LGm<*8f{c&yfEITwY=eJNv&1?Em8CIjb1~ z=9FE-5>SGcG>F;HCw|F`=){=b#0LrL@q}voiw! zHw{h`JUmb*mf*?aPk{JtegDL%4FBKsETGW;|4=&r?RM#rz>fcKA$>>uf0F|NNeomN z0N_bQz&1kwh`M+lTu-S^s}2hd6l`Je`0uDz=to8$cd|zW0Gek}5(>C^9 z&+!RQ>78|b!c!V5olXQzbA;1=Fv{C-e@|`d`VR1^&5f9(M$U(VcCX|dpIT~7@Av@L zith1Yxik;%^sFwih(Tt{u|=)akD-4iKwmdq*{?jkY?c>#TJBsg^oZSDP+)Cm{W1_r zdF@q-(2#qAn&L@Lw82$0A;Q#D{sOxX#J)>!eI!FpyYn3T9bLn!Vkf6z zRtvNJic(yqf>H&ZQc}JWj#4?b#2lsS@|-Rnv+M{1nLa>+Uxycyo70QG508H*H)p5g z$?zhUFY4wD6l=OuR6qL5eLaPqsS|RRD{s7-e2=5F{t5hzz99`yS+Hv8hAGMP9gbC) z@6-N7{^V&~Wxcv{i+{)7?D?a8J^6Gq8caTwCo;O@rv5!E)N*EwjZNNLXGYo5KL76 z+wk|wYQMwF)XK91e`Fv9WOSKHK`W|TrnB;O-h8?oPsSD14D;>XI)#d-@*{zz9AfSH zU*vR}Azy^cX+*%#wY#R+S~($eHT-<}+wkV{;%5BmdUA64j|@SY$`^lZd{6H1r8%B^ zu0|fr2pY^kwP^BZuf%dN9uMjN$JbY5T5Y) z0FuS>uJ9ioy~U}NY@v0Yot~d=RO6Yx&`Z{LK0M#JjSIY3sg1PG&DsbxrnfO`LdT0^ zi>?xF#R$(p;8{|Ti9Q%l29wicDs`dx&;=Ki1hes_;K6wv*HXi+G2JCRq97o;myEtscWlq1N1V5wHrvPttT6sVU$+0D4gfp*pKYXS?SE1a zvx#;R(9(Y|jFx1FD~laVhPFJTWRWK~>eEn zn#uot*N=wi%E#mX`};}%-^0Tl|KCb_cJ`nCw`0XpZgm4z-Y{baqf;R)oF<@$a^09f zj?`rdQ;@$FJ-S_?+${*DPISq}<=45GJOAKQ=Qw}rHdTq2+VsV{CS;l&33f9`7yyb7 z;&R%EA9iz2304JyZGr?~D2aVwBz*MS+VoF__K^U|G_kR2UNp} zoH>8{frvG9pczikzT6k4HR0xGO{$I_%dfalFP^DMS9HntBq9%V z(jOji!<)aj52e2cB$jXWN&DycYB-n-X&+sWPUx?H2bd(I`UUT$9uB|794}#I;)no$ zzzm6& zDQqT72!O{7A}{S*0I$td%j<03x4TU0_!-77NoSQ2#s=CZ0A0>XKq3#9;k=ogJNrg(P>SJ72(%L zU!IPR<1a?1C*h0m@=XRcXf2CI6huN`ZS+j^po7fvT-M&Ox145hhD48q9rr47izqXw zInzz=i(kWJt~-Kkk>WV)Zb5%q8;c%-6sX&CfZ)-0n)9R@S> zYgi~>j?h8Bzu$*fQ*l-47OTvag#u{l@#4EL=N;T*XTFVm(q+I@A(It?D z{67)@xzpb5|F)BM{C{o!U!m?$5(7_n8|4d(R=t@HGED$KuC~!Hy3R$F)k}v={_h7& zt6&RIeEuWze|Wcx|Gbs-?D&7)O^{WvT5e_hn)qsVP*y&}a}#;{qFAmudSpP#s4?C z3HX%<_|Fvqd3W%>Hir1hlFa`to51XvW6x=XKbekheGyP}{@?D%_P^cz{T=_`N~)6o z2YQ=$?ClArXOFJEY=#td#VCr=)qft>hrW$Exrr11?DCh)6OZ}4m90!@iuTZ64bW{g z8Zl9`ASMl$O|_jWu`zL|FKHwqMGV+F0;u)`;Uu;#WVlmr>u1E(=j`a#U+_CfBdPD8pZ_qNbaa9fh|hSw`9DaSGVce zr6A?Vf3Y|eobeIkf3$lE`QO>!o&RhlRVx2w3Ai9yXY59XAl!NIsGOS2+g??e9Am?J`Q})*5Te9 z{AS0@-yxItyOCY^BbW@0^VASJgSiTOzHg0MuwSL)8{4z)MSq{ep|0=w=iCkSle@Gq z)g92kms9kX?(Dxv+dmFsPtZYFnD3D}2!Kx&M!`N=(;Z5gHw%NPcj$w^>q=~`BWQ)n z1ms$>ranokv2gx9YSnD(ix4^gZeQOzTJDwF+r&)RZxQFnX)$stXJ&N;GvwGkf_Y8EqG>WMpI4UH;u6W*9EB zmu%4H6|YcdtVdHGR{8nVGVnF0jP)PTj!NLivI;-Y!uW58iTIzLo&V={(w5hM*((P{;eNI2nMAmIqF`w z+-7>g4{_z2eh>?&oxz~!6sfHGcg6d!!2f+;oBos7V$RWd)8j7Q2P%3tio1`H!-8g5V)zn=^a{^q zD}R)EzY@Hx`z{N8p34L>s>Gt&YT?9?@Sy9 z=^T@W6yGN9{kc-kvn-d@OA>bOv07EYA<>_MbZ$P&y zL@|^^8Rs7KTfq9*wOmSYo|%K; z^7X^>=QONyoN_b@WvfVn85Hrpct3YOMc%d&$1gn$7V)X(|H(J$da?ikU?%^+S@8ed z-P>I9|4;E*^8Y!!CtzPo0FXY9DFMh7OA(+T0?f_ntD9Z2`b$=S$?E?RSbcfXPtEJ+ zrd=}okIC$_m->?1f22k1FL;`o#0h9Qz!JYk0x>wmMwtY{Y!pI@;L-9&f#Xt*%yH;YBX720h6kShRV3{yV7 z?}R5^dR#6rK_u2guDV=40#|3I(im4}VYC^}VvPxb{t89?bfl4~wPbuR*qZ7Q&+LHg zA=Zs{5;99y`rhnO^6laN{yvVgTvkR)Bj!md>$mD+TjuWq%bojY^?x4ae-9%+P0dL8 zZ_8NYX(KpG*O{qjo}Y6xe1beP{;POE$a?SVV?@lr(junzv{1JY7D?-A{h*T2W{}+PU^|~cldOv5HXd%)24o^1i zDy2h_Z7b(Ta&W+XsXhN&@elJ%9aPS|j9abqslflEbhL=fKY#q0iU0HYAKQC-%lZ#b z^Z8=(KajS==za3xouWztxD*0XrQcXYdY^fWez1~<$^T!zIA5Bg=Q*>4&;QzR6ZJgD zL_L_7KFlW6Bn(n&Bzb%A^Xv0*8aO?zr1Z@>X!cU%SoCKG{(pG#_dm^n{{iRc`2Wql zW&G!pe3tnCVSgEQ{uRi8Nr!W&89K=qZ{81@BE~DaC$Ps=N)hQJc|=Ju{qq_VOoTyG=q(P zpyeJ$emE$aCeeH)N=dUp{PN`V(EZ}{-k-sXo+@7rE*)+s_6|vfPWw5aYwm*_PyPmovj`Cs+Tf{@q|+* zf!}>Mj3#)}Kf+~5Vi%pM~3hru%-? z_wHgyEckZSchRcjQN@!!r9YLDtYBVOgr$|}Qxw^C>8$j)&Psgh3wKo#u&QLaj5AEx za(~D{hJBS{z7;og#Sx9myhQE-eB(gNHZ~fzpGeMeeZzP|O|!@GqR<`690i}n(nsX$ z`Bc#VMTGt7&n*A%&8;F>Wj2nl zD{AoT%*OG|`z7%1eAu8#2u-@L>!1_E>wnQ{ggw-d;Rd1Ie^&g`y+2#2(dpAw)irvY?E_x5<$EwuJx!RB!z_~?;2{O4N!$r|e?%FrxyydmDMMvg=M-GxqN>#`wxf6Pgsq>aT%6LJifsEnf*?m=k#Ahsw>}T2bhHKgXiVMw@GKoswD9A=5=T=(2>- zkQnIPJ;4?Rz`K-Y)qlbtkVA>n5O4}w>i4T!W&Vwok7|X4v}~nhqEq0bs$B$lu#s-# z4gdrNxIiZtRnuEpzYd4%X@AB2wi$HnZ~Ww@oB_ih3P)1=rRvKm3>6G--7Ht?&R)Gc zzqmX(b$-J%)NmX>Ch?${8ViJ(s4D@ErN5n0sxMsTnDdwAMt@f`pT0YK#EAiERm}V0 z;Qi~1%b#DKU*Zbh9=thT_!<=ZL^yuNB5(ocrw50Ryb7WVQf|)s{_t)3k zn|rMd_n!jE!f2k6 zM2H6=45KDV=V|9)owM!F!DI#`zCJlTetUj=d3td1s(hP#>+2B@yk6Y&l*!AsTY3tG z=MQXEk$-K=IZjGTWVnxqw_y?wQA78^Ptv^Cq{V@^H|HIbT{rGOGRsYGP$W(5CtIqZ z9_Muh?q%hqEc{R(e(~1pv>I9dlx8^1$U0#*_NRvDW%Z!#(m_kT5UU5-yvNF#AkO3% z{R)W>rzxtTrb%_&!@lr>P*DKxieSRP@4{Bo^nWyouT4~;)6;FUKL=jRjfxq6^LK?e z@KaF8%WIMd&mOUo^jG=e<_F0o`{fVc;q=@6%^QzKL4j+jVmY39hy9@QQRJ5Y=8XY0 z`FPB>RVIaV&c?~m+sO63=m%c#Da-&aVJ%6}L&aMve%5{@qweQ=dEN$qvYM&zV;i#x zB!5Yq6n@#HL;{6Q!6&1hR39ZJd%tSYc#Y-ZH90d`oY%~vw3&VkM@`si*qf~UbslWo z^TTMI1Q-1zNc(Zro#RgPUGhVs7A5qfqagApQ?!D)QA>K|2OiB*H0FV?T+hg#blgE@ zU!9HTyX1$=!a)#^v-ub3b|~VKIT1`0-hT!&@Qc%A9`uqM6Cm@DAu+${X+T?GUG22z zbIw;_Y4B5(*?z|HRilrZsM1~S{V-*2j7LF~_j~W|$`sI#rpS|&VAXa)mYfE2l6n}il zAlFicmB70}vy7ZLE+t)~or)tQ6(RyDeRr&+G#Wp>Akc+ z&M-$#iWkuL{M73PNpORvV3eP|FiV4|mm84QjYc&X;Ke`U!F3oY(@?tFazP{s&a-%w zf3;;O$)=57v|Vpq9aR2Tz0 z=&e!oYApNLoc>>V|35S@rR$6JF+(rEy`7yZ|8M-{;{SKrJDY#Ej`9%pMX14FI!=o&-_-Pk^|iifcC0^svkocf^kZ*@G;PQUV}G^)QL}}^UJU>7 zp4&R9=N^bWqp@Q}I=Hwvesg+p{(ak4!VSN-{~E(--Aq%Wv(!p%gJJ*%JznT|7%Kf>(dv zllNG~X>03yVWW}zS=~dqL8F|rwcD2X-jwpSPMoz_g2Rm!mQ~XrzNH;^qiF@tF*&? zGGr|%6VQDCr99B2EFTlX0VTF2l{m;}m=t?8muy!n`)Gkp?%+83IUAoV(-lnoMA@xi zCWW(3=gDjZ?SH3avnqng+d@vM(o9s-IylEy2yQbya}jMd6QYg7DSe~Z@BZLN2vc#H1 zT%;lj2Vq8qNE&2;dvQG>(;p^MgtjP}BO|if@=kgnJrZ@}K}6G*(u5g*2jVu``x@5) zXJ7PT5?Z{hmiCB93pN%GOISynLlvy2etZX%GYJ7psy3Ake&Zv-!@z%rgYz+9;7{I4 z(@GeRK06aS5B^XR;H&d)9pau^j_=i z|8EEStZPLk<(64VypusJ9e*qTzT&N1uGHEk@8sH&YNSv7)-Lg(r2#C?Td^CwAiqK#^F3CFrL9kjen=|QRDh-R8^P9pnrG_ z1OHPv7!SPRcmT30a_Qrt$^WnNP?4D!o1ezrqcBazBgB3`jJr1hpkFGeBWM^p+ikN z6z2`IZ=kGn7k@<6g3+jZ-GYt3H#>DCU_53Jl}dt{)e2TICWjpsH?(dL1;^6Z>2ChS z+_}|A_wAUIS-at__aYr%doSo;1N45LxtonuZxj9p|22oCN@?rh-fsOQq=h_3E%|es zJi~PkI0TCPk&WOALM#;oO+&yQVQP3**;4ldvoTBbp>0tFkCqo?R5cHiO3>ca-N(+K3O*`WKJ69N1@U>+=9 zSe&McZfAfd{U{zz#ryZ_ifDD#TFn@RHP7nmbeQ&>o~NRWpcm;e-*xSy!YAh3klnD? z1C$3}4}YlAEteY}C;YPTRaLzllT1+OpyewS+m^jQYd;F3woNw+9IPUgRv)=Tv|^v6 zC{1U(+l5**4(8Eqdr|DqZ0+Xft!`;uOfE_b`)ySx=d~MG9fIqzlfTCCNUmn!k63O= zndJyEwguyBP`!K$|2K-_3Hsc5N>4_Y$ajbIuYUv7FdpcOCV`{nQSb=<(?`{Gm|-3` z0Ed{^_~E2M9(~Hm$za@pKVk8Ts46M5U#M6bUy4z4(9Ol`^VLc$th0JK*fm%E9FfQ> zbK%v`k+)S$CW$FS_$Md2LRmlgH_I_hm)&+FIOcVi(Bs)@*-Yq1Sq#O8ymy#c9Ue80 z*ndQVKFp;)q*+vvE;qQJeGTwo(a$S-Tg9Xx#<8|+e1lD`(fEFgLz&zVQwJ=@s>r)| z1NY56tuHJm-0jVc+0F^&PIq-&?p{{T@l+`?oRn)#$$DX(828$rdiXU~Iqfz!wzoIj z)0jqaFwq$?*BaY!a4u#ghCUM3r$Yq|CVy)5FkFl<#>pubAs4p==s55{vT%WproiG~ z$Dh3569xqa7_%1mX$Xi8C&l-YYG2fhYKJkZWcvmUFCl!d&@rhBFLAy$o4yGzQKWH| zejVy2e{;^ZGg7%sc>C*w1LTooh+*@V@2%g7y!C7_T8DE?{F{KA;Mf1n8Sq!HIe+w4 zzWJwQdi#CF`ztyHBdKp5hp^P&I zelxA=kFQdam5i@``pvYeKmNtp!Q1nbi>f*7pMP^(*Pn|LHdRcdfBVg9H~$pt<1|^1 z;*KAY*L^qcd<>E%AdO@)ih=KHrGI@lkGN2}@5=`-LqG`U2Z$c{eU$QlBri;TKlK-i z+|kVC%x1)V%_m{-h6-@dGHdFx*SMWZ?80e<%DLy_3FPBLj*dTEp1pf_ae49X=i|2( zxx30p0LpUke`j%=U64wA<}|NQ&M#mJ1f}Ei^YVFCe%;^yt4^0U`yB83A%C)o<}?-k z70nCA7rW|t9ShVb9I+*~Op)|Ctx@j0i%MZw(K!S19A*FVheq9VCuAi@D&B@OpKh6l z#(Bt(Qu^66=$@(ORz1TnRcQqL%)kFJVedMpWY3m6q{1=fj_e^)#JpmJy|scUk=vX@ z_8%%C*b~o`67Yi=UeFEI$$uSPaRrh$M2Eh~%FR4@z3c8=b93ZwG*0a}97%WeIhk|& z?5h~`^1Cl@SGbxvc3OdX8Uu24 zLp>t0%G61<<#N2jEknmB{1}jm;5pJdAiKlvn%9r-F!pFo@Sp0-!+!!Q?*?g@xZ2to z$^aGBKc7Zm4&*cko?o>?x!ltlZ$1xO=GR!>?$AVOjVOKuzJfCvgpxo)?G;7Wv45pinwb1|lmn6)Bcf*cL zkaU)EdlHrDBqvn!6o0cwQyTuGMA1=1fleR(U#e_i_qD&TlIG_br!@ISX)5}Mb3@gD z=ki4*07DHH0(ym!9t-xI!}&bG=PY4f=yN+g0Q}|}Xa@YvmJ~>zB&APCr-W&R$d8mH zFCufvcsQhtO+(M%Qo_=&4%o6$t>e*ERc4c#{QlLd^v={bPJeBNZ?X~Ea8PIZu6P-R zG3@t;6VZt>2v zm9^s93f9;M-O-d$?srSY0T*^p#i18=Q2M3Vu+otqer3XGV|=v^uYZI$=@t&G{eLL2`?*@3-l+ZU+|ROnsQbQ4 zXS78=OlRPQzswoeJ>_vuxyS;fF5=c^40itqy7-$bA9~?;XZd<@ab7Q#>bz5~O*NTy zWvU&oO#P)Yn9R5$xAXL?sk#47Wp+J7{(B-MO&#kufW=}-?-Dp(`7rt*Gu6bja$^Rbij-Hd)7Gq1=<%rkGPtm(b) zY5HIfRV*y@u1be}l-pAAL-XC33fQS}b0uAPsfF8{2f1YPf2{Qmrw;tU_gFUe0^eoX z@N>UUJAA|qP$?<#TzSAC3>>6y;~_c}<=hJBr=OB|JaWtjdi6J9*RqzhH#RmL6AAWy zpJG;(vd-gtXS;9jKGQx7>`lpw+Q4sB^sV;nd~=G zUVkR9ys~GV$6{uiIoJK)&CCn&F=@zY65fVUa1$J-9X}#8z3)+SU#D%yN)4E=EzwPi zrAE+jdGPx6ePLTwp~mnd#4IZ6p#-*#6V>zz^V68%8J!=5?CVbPAclF?EDK|zXHE3Q zlLFbteF%YctxX1IO!?r4a_bgAy4O>gMSl?L3{e9WJ?Qx?oJ!Q1bAj}t*1TUf<){MY zIpi?O(ostuQ<*EO#j>e7-Z_SQu*g<9=EEhovY{6zz?F^uAUUq=_V0pgEZi~YtxM~J z%G*XS#}~y2dFi*hYHwz>B$U25f$~hB0|H(=!tAScVP)n%}a0e)Zg?tM;iUcN+ZM&_i02A6 z;B{-)Mb|7*5{#~{96CbY6u{iMJ zF0(lHJ@0hUPmdh)t|#@cvZQ0}yPPq`11_^{%e>93h9tdZVJ~P3JR#G3P3f*c0)YK6k08Pbl7Y0hjp&yPVPUG&m zDEp=U+8j7xl#b@OGBGja8rNosrwvp8wkk%u{~c8fxG4N>oA~Cz)(n>QX#Pi4-s#@j zfoYS-IUZNktO#=?sL1WJBuT{dMvk50p0H3c-UDHwYSahALe;>Fg$2$Ga9=P`c?F&T z0(dI9e7mk{t$Ua4F7C=@z=htnjQO~ap3~t>zwYT7De7N(dB&Nktrn9#Iv^q^s-qb1mzhK)!qJb6}YZ zb_|SJFaYd7OX|W|x#@foS7rO!bauv*@j4cN&$_z#y~bzuGbd8&Mmg`5P8s=OS39?B z_&u(8PH*sqU-cBf=jjWa9Fj7}52ZE^DD1aO(bVVA3`38=4kxvb+y;X_}f_Be5oA8=*Gj@N_krqv^TNFC zoCH6uagba`diHUaw#yyrw3hBsVp$ba&5BOt$0Q!m1JjB8&w`%dNz<>S5Eg=u^&51Y zcAABg_0Btepvy$3`+*;2eGk6qd?Yn76|ceeRIkRXG9%LnrC$4D@6Mw1C`|2&uPgm5 z8?ES-nkugROS&=}B*KAz6P%8JqliyD^=^WplmvvEj}$O?SgFbjLU?hB$JhpgZLmh+ zEibZhVE*z3r3vIX2FJxo<<3eYS{o zv23KmoGk_g8@!xzg)X!iEY8Uh5QX;nD1|xz)KFzwFB0TbI^r0T;=X);5*<^c?G7!L+8z=y+guNx+5qjeKz>-1k< zexn7QfhK`i1YckO07^i$za!!Qsvr9|>-Zn_XL>taH-lo8r}42{P)`b z2>;Cn@bCWzngSyp#^cmGIXZ^PM@ft#MWYpV1Am>{!B-6&^Mngie+Mc2+zFFT6m&vf zX@7jp|A_qSW+!Y-22lgstv@v$=J$X2>fr59$FJZ0)EaabKgaaKZ7{fo7ueoi^ENj&w^kdC!@jT`jc>gp z31Pk>5W4b!sZQ}>e{+6b^2u+v+B>byM&rl8&&G-LWBz;J6HX2}{0z~|)d&YjGZb}= z@6lO+U%((Km zTSvKW9eS)zS&lg7z;ve{4pW)qyV`SnH*F3Tx|@t6@p~8sf7xA}d=y?9Cw;lMS94P6 z0atZ`Xy}$y<$UgH^59d@QK}<};)noU4{;&T1!Pv*>t4I=UiaFo3V?Q7ZSTdqP8K8l zY;9=x`C)tmi}}|3G5n;A1(g6`2`_Y|0NhPDSx24WNHR4IF-r}|PJ*N1&^2Wmm4@wr(MLIdr zCBKnYasMz)$5fCTR*6TXn(TX5%_iHE^Q-&*zo+paxEzl0(f#GBg@;69j=)~+``ESb zW5e9X=3enV&;Oj;g|^L)FVl+lTV>5VY1mX&gNlCJf7I^+2%_Q-ejdZp;dQ_}ksc|u z+uUx#e_mQo?A<6Bo>Oiqm0|(wd4v{pCjsCh=)JkI&382(qFp5PqwpUv8z1&=?Ze(( zweg%;&_TDW7$$bU9{UjnSad#mod}2zmT#wbzO_~Noo{WGA(yLuoMs162nZdnMaj`N zz8u9}e?e$FwUOqIgEVn-SFS>(ButdwUA|pO0OA#&#CLU1AA00h6~)7wCgQbjNg@%f z1Ralv4W(n)tb6p|IoJ#UnkPm5S2{vXb}tMfg5@iO_9Tu1IRy3RbvQ)kI)!&mOW3GQ zS~k8bVEJ!7)(pzUh?-EZ>IxU6(WpjE;SjDOf8um%W(yBmm$?h9vFc_{L5%ha=S6;( zCuwiious|#TsS6&^DrkI;@npU2ARW#{}CiHPqSV7nzy$!3f(~z`aj2j;5SS7p>Ms{ zKJBN7r)Zyu$Ww0!s|0+tXD$5|U?-v|3QC!LrG@7*8ed0Y+J75oSZHwq7mTa}K5@lO ze^|tgw5DN(v6fd%xA-z^pYsNtv!V$uE!c(=;p?l7E!(?h*c?5`(SZj|QFtDQ=O_E# z8~-D)2e#{iyiH{xzcRW=RNRX{s&NK;o*ESTa<}f8LJ!=$@+OkE8jR5Rk@(T;a1ds) zApPYT7t6fD3uVNWDi1VTCtg1}%c6o@e|6Gjjg4J2nT;}T$8I(=ovQjIj*#8O3Vu-)6V z*1w_FUy2Kl{Ui$K#fF=e2nM)Ed1JL%qunhF!4QAy485sGuKO0C$9$-3OHkL|c3lbz zJt}y~x4|7C1+)&MjRrO)Obi9~e{@+{M~XRE0fP4jJ5=8e>ZQGJ*Oe%sN1n}c5G5|k zdrR^Q5_!#dpAz5A0ul?F{Ef~iOanFx3*4%`z^%56S_##=lj1URD|0qMR5ZUc)DdOl z(Ww@XU+&a?KRbl>_2UMd;)XZCo$-AktvR*4s^~fe$~;okcpaaVs4Tt+ z-}RQG_t|`z_33qQy05$ZvFaz)-mZHx?d_?LwJk5{p(9UutPfm#rQpYp^);!ISQc}i zq~kWkE7+(_ST+j6PlZS(nvChfiQBaf7#A=BV^bxF}bBL z>co+P1P6COpCs(0ET-?(X6N?yO3#@OL=Hk2n3r{NBJ@}l^_}P6_z3hiCkW_v=V2q4 z!vyeLGHhL~7WB|J*CyU}e1ra5?F}0y$wqdbKPzhu06KecY;q%Y(Z}9idtPF-v4|;( z$G7>gVb76CBL1FOf0NRS-SAC@;Y?UJty$?cBEqqylQGpd( ztf^d5ltGH9+;yDw3BjJIKp(Q+N=Sm@$kYaE!`L=yPK(Ulkgz?=qgNje-oL)MJUBW! zyUP3fhD6F>o#KPYAxV-`&82U`S1T444niFOl5NUw`jA~zf3rI!*==%hS*{L}V+Oib z81PlTy{vS%t`!V=IQ;h2)NrwDvkZ1T~+g*%CB%L?`aw# zA2$j*VUK-gNm<9gkf=*T(n!)%v!J~H-P&x)F0v)YM%tt5AWE%jocYE0tgh>MTE@cf z?bPKQpogYEf5?Blc;ipJ%^gF0=Au2j!ny2i)s_Lb%4`X5#u=MuRgr?bFp2XnJuH4y5vsfeN0djb1Ow!Dix$_OZP5-nJpd&bBpIN)hPqR9 zD7p@MXdm8Sh&HoR}`Sr@j!7uMdb;1(1SQoKH{e;uv-DK4oScgA?+xWcUO4XJ@LeeR26e8JjNPorT8eTEkQg*I!bV2%5bxAe1mqh2I|iEEMR+z%BX&60 ztIhcCF-xt?yeuA|O}}}?+DLp(p-oifmeAu2rtfg-N1tE`L;Xks%J04Pu+=ezR0?16 zk{8Bjf1|Y}gjvV3l{IT^=uv)tnHHPS3*4xw{cP_-2eO83wRZoVzElcdm&_{6l*OYs zif<<8BUEAm+Q(wgA>J+)sOMwF6V?=k5n^q1)h?>5%IznpJTEFXv~^^S*qSwc&-TNm zwR~3_Ie)jIsEe_%6729En-LsEkTg{wD$4R}f1YJ!m9>x>oR;viE)YQvn?8)lKWF{6 zjj1e;!ZaC^`2NGVix?4Z!sU9~|1K1za6JsuwaL{UlPgkh5`)U(xhGaZ@5SNk_vaVK zXT(Xay1Gm{fX&(@!Zqu%4XxTHSumhEI-=e0>azdPqiFEuNd%*@!+#f1s_*^h!JF4o zf1yUXI&qK=IS&a8)LsJ%pKtKF!T)Itpy=c;OePPVI0iK>1`l1`wy%TCZ(qqF)P9rS zX%kHQJ2FT6!?B+Lt56}Qey}i_}>l8_R|#zPRBe@Y=NQ1jLWZ|JdFzES3}FyagT=Vnr}$=aS- zySr^InsABJ32QDh433P6pO5@BrTDyp_1V~-clT;z(!Grmtgft~2Du8KYn-XhsB{HS zTKjDG)Y(ejxs*^Kh_@WZ3R@?YCh?f$M4|Y{-M!lIvuEJv;`MnEO3aq1l7t*&e{E~- zuCeB}U%KA1d-4|B?pr*A>mzR@+ZT+~w?v@491Sxv9x-%y8^3DKUjyJ=tA-A%R?)+7 z*b$c;8VXqsVAAkTj5=Wubo%}rf6wrV{`)>48x9tN`7lw@ne64Z}}=@@;k(KRT7Cl|-rQHYiz!uK2rgqt3q z6u>c?B&_3#*x%aK&gI7me;to&KB2mv8_+{P3-V7l=9$g!%5ioTRBla&O7wcx6FGJu zts=-xbpDx%0zG;1jb%cGg>7&Y0pv`L_&6`qe_%vH4ro=Ult5N_ z`%Zysg5%oyj9t`ccm`%{0FaaCWAoUAEUt4qwOyT{$EvKcu6_)9=(o0G8Pqnnl5Pb( zWNKJQX<+b`b{F2MZS36H+f*FrldYZc+#|s_TM7&5_}4? zcf+$FOC~=86-LB5f17F9*{w~=c1vXefhyaxlu}xn6m4s4h!AI4R`j5P-cy;O7qQL7uP|2#8s66@l{3Alq-fIU*&Z1lf<9M^mUmq=mAekp8u8( z7;r?wa{0w)5twisg4(U^>OqUC?F_lY&X7F5ToKwCl2H<-!D~3=AsoGp?Y3)!=k}hN z!bsN2V42FWe|4qA9db#uV+F@L#g^ilJ<1m3%h}Xk_!cc3hc-S=-JCwFHSj;ZANsd| zgV_nxp0PGg+uAWlCA6mr!T?|nVUh=`%CXLO?cn#?ruv<2?bJd{k!w`UQ=(HJOUN3Z zK0mo3vlOXk%6(E&dREBdkTKvOxsd>_o!ZjN&SqJ(e+Ci&rhLdbeGrCJ9CT4nhrc!9 z_QGB$41$1MZH4+yd&69h=xqO%BJ*KgdTsBzoi=Hs4qP3do$Yjrc5kP)8e(UYUi|wL zWtt@A4l;1h<4g&DAD>Bn%S0#sP``jAJ#+qJcX+b>Bd*ZxH0>Z6ip&_Zx36fu-` zf+wo&fwj#ZSSQ8+KkedQ);)3P;SA45!|v-UxJa>SslNH*#NX9@K+ppxKBjbis6_xK z9YjnV{W=gV;KVv;md9cvwrjJ-+q;AfUdJ~ee@fj35#bz3vuMqaAlwZTIFo3i(4jzC z6yN+v?Olf#`1&;tcqJE6S0sZTl`O;+jdVp?eA_yz&w_x0@1ZU&fgbsnkF-`OxnPF_1pGJ7VLlcxB{ul`iUPo za(;3Amh9ul=jR@ob8kH=WyG`8KDce`f8Z?JY!wKW69ornaw-Vah3R-^Cfv2xwl#$g z`D1vMXe+~u8$ic!6a{8R#%no^(t{RKfb}DF^3J+6!FHL;?b>Y7HnT-~mL!f<5`Z!i z>6kSDDDeMKWp{x+WDV`w2(-=KzXoCcAg(Ev58u_TxCU(1M$lW|(fB!6gwnyce>ZAV zosE|c_$aLIUYF&=TBzI$GjDI!KC{i8YN&O*zl|pnOjCPzn=cLPe?`$Zr%8AlM!`*R zj5!5p3;XPMcV)u#kk;w7Y0Y$sOQ_9XZ4!U=R(L?k{!{uIoCHCwfVdsl_Ev44ZtJDy zqF*{jLgh8;vK?G`h&j^??7skIn-kqWnJyH0Jf>(qs< zF}CKjf&>Wj`DFTqzpWfp+Z(kx=nYGrw$ut`F%5jB37P51-8e*7R(WOOf8)hluluyO zIB~&wjtez$m}tHO`q#(XMLIY@w*m5mRldb+otzSCqFjx6g>`w8Epq9yR9$3zBPkSP z{zl_W2r&7Ge%REhrf9mo+6S_yZJ>L$S!UaM^ChCQxb286!++7E5#LWzUEwM({o&-2 z?AV9|M6pFntsPhkJyu)ge=b>>wi=q04PFMk$pDRv6BO$)MQ~zWG|Q?dwnlBMwi#(_ zugoV_&PZ6^H^5kRTy%!wwJ{wds!%#sjdn765Uzgjfd#}JTXb-f9)_0I^fz#Bepnc zgaqf?5ye?q5J)})Vf(wfBp7-)UcAml%R`mVL z1xIFlhznv94jU8AtXsx5(eZy654$J{##l@MF)Wq50DR~(SpfDY?DDN)%0bv8 z5pj+v;04rn{omqD6}SM6DU^DW9p7awOtKY`)NKh5WP+lFQti~HR6Ckd?P^1s@*b!l zQ-owshGC{%Jvf$Ga>1h#!e-Q!9bFg=%TT*nd%2rCwh%FjPScE{VXwR>>;;`k2kwvr zG7>LH>`Mc7eKpomA?@^SG9D^C!^ zsPFp0eOef1=3bJKep)_Go!Z*V|B zr1+z*ZgdCV44*45qZqYmIGWAcxNh@1P0M$Tz4p6OnNveHp$PkV!NoHV%1~8%5u1F} zZ*8p_)7E3{6(fV!4xfh})}utNg3>vh1veqZ4k^z)*+%+*u&EqDkUU%uemZ`8ae4Cg ze;yxRT#9J+{^Hf;>A}UTs}i3Qy->VCPPv>9=Z=f-RdA7>7v5S5kRL>N2Tz{>~W-s*O3f7<0by;hnH*z#z{8 zxmO^#S(gBl{a71+zEA825XQS87+U&uM_>lAz!+Li+!b3$q^!2N)Tiwwf1ZOPQUh471^p*h2nh5 zo70LcpwJJKfQFSE40*Nv%Ap5B9`ha|qZ)$7aAVH)4r76TMXK{g zZuY*@Z(ysnW$e9eTbHWzaTZ-GF>C6iZ&>C_>LFMmt=6JDm&^7H_aKo zw2p9&#o$YY&nytNUW&J?H(Mia`sX~C)9s?wNT z;cQs43!Ni=#HUQ};YvRerI1AFMd>NwYs2Q4S#A4s<>TP{L>%c|tD=!|`TAGw|Cjr| zDj$W!T)q&;jFZzfPkETHd3Mm|nipgpTVX_hUL=yMg*LOs*;~d#3V&hPLM>kzBSdR5 z3=j*OOa_crl|8^x#m|*E2uaEp6n;%G5yny&hhs`*412>62a6dbRyo(R8+SeiO476A zU9Np(CP=S6^bVr&02ePJE`7jXv9r37%4lwV{kRWy%P`(2AN{z~1 zkvyz>!NOn302-lVXGW2oASCQ@e)7}B@!1<-hHro!NOgb-QcPvQ6$)1MXs)VDN?YuQ z)=6_Hf>I6mDb|54BlTu{Q<=GF{1oPYTH&EA?!=K~L^0SLreHe?@jq6|7MF3dB0zGn zMZSKx@|;xhs7(9iN`coamYti_p74q*Rn_O z#nVRFP%aTs*8wb0fTrcCv|1d9!93eK-V|^BiuivbJBqkVlF-eJrKL31|A!jQv#$u2qhoajT+VraoM9(c-Jhxxrq>--EssWC-Ca4;y2gIe_lU(%#Sd{DD5in)*<$m zAIq+FekWYh%ahuM%lgLUAI2w#?~ab&{qpws?EEq2m{tFGqgelQdt+Ju^GQD6djBJ@ z5C}Rk^J2{&vU0+)eeQ)WKacWJfA9b8#o5UZ?=Mc?K0*oL>F=+{Q`6w-PNcO1$eQ7lf46MxL)B*sH}qqeq#14{q{W~k&6u+n5ks2zVHZ_r z=*dbMbuZVvzu{i|^rJ_m8LkH*IWaVNk?5Q~Cb6ALw8244umoSr`%l>2UCcIBZxTeP zJMvlabi;xjj5EPAyT$_H5kU`r$+)iVU7TS3v%Z8I_DPdxUp`EG4X#d16~%NmP1qvm z=;Bw>g6%}%M_fHCPX|E)lEqph^P`V!O875yhIj%X zFClnk1Y*Fbj&J&t@n01+eH)Sz0Ki58@em_5BMIdszW%_wLH}>sCJJmZB|m~2C!Hnb zUE*hgrD(<+clTqQj0b=HwUawwCrJ+zmA0QusxTPYl445xTNrGOBo;qR1D1CXBs!#) z$D?e3B-8nbig-M3j|+#9%B*mDFmnU8v+pS*LYFt&avs%shuH>V$4_XJt6(F4oe;o` z;uK#$3KVx};bc8Bi+|W1ML>Df!KV=*o?zIaS8$9e!bNb0aRf?9Lcz!9=|x-(;D4_u zSvcv8(BrHp%GH}Oh;eXqa6H~HxHA>?uu(h&q~w{EQ%-KL2h9d>rhPojZ&l?7vih-~ zUjX7(cia)H8J-fq#IUC~3(x_7;+7Qu!EK?5fu>41-Wu-~jlEjF9h2NczqUNV;HrQa zmI+uR?Nr)H(At{zK_dJwtl35MN-1>Fv3`^hW-;raN{ADWo-dn}N!dLy!W{~Fflmp) z2%Km`Ep(NR0^^{{$cwOd7gMr_ahIbmS`0Y^EZ%En$7?j&j249|r1C_6f-bb*%>5+U zAf!+N+HvEA>N>+ReT%kHT^;{Arh+>yShshm8Y_2N#D<*cEAwyQAmM?-@%w`jW|!8$ zG4PX*oOXBxzgvMdZMD4jTqZmusO!IKuev{8rv8upbP-=V-SpRNOK2S;*-W3=NsmK#%C{6jB5KNz+@7^ zuqMUpjZr}Z0215*B3Sbzu8Qn{%@`pu2;gFmzK@B-Eufa5{!WPN~-qN8-Ir zZkpqvM4{y~O|`fy{myoNrrM&Uq9-akE-PiHa&PAPAqc}+&>$2g1cCOST1rS`yzTjz zl_&_h*I2c@%lVXlx|qix9wC8i(SiyYvGjt<)*-QGR`eMqkL+a8m0$rXAN8I{-Vs|S zv|Bfy0M`lNoK4E>AO*&=WBh9h77P{7?5i=gt(9ke1}Hk9g{Qz-rHB=!p+wsN=G8Sg zP+xfk*B5jU10Z`sslNbnc_`cgvYc;)dCr_gYj8E)`L+Vy^;admZ-!dOv5%skw^+4H{n=jks;zprDvb^dJ~7vAE3Q@-?)CSFrz z9>fJUiHgD$jkiQz;L&u(Szs1m5>^%uV85_7JclNLce9xcyymU9!VB1^6|Cgv<=f@e z(SPu1&|*%1xKy(tUr3~BbgnKFc8ZW8WF84Eaa_m;c?}2myW1d4!~Xin%bMM;C?}W| zg$dE(_b9u?do!yP-7!`TGHqxP zTai1!5lTS1PB=XStn#Oyk8=c6s8&N0Ee?%kWGz$xDQcKj4WEu+k2E^rPBlE&x5`m` zU?(-PzXV|vuI$nxuj;{?D^bGhzNqyvzZi{Y19i$13;$yhfrNm=%W3t_7~SK?VC9Rx}D`}FAWQRDwUYcAl!BRP(L z4{8qB1x2Iiqq!!j5%c%ZGLdqrQi^g626am+suz@zS#i1{9tN@o$TSD5?sonM&9U;| zQ{~KNoxxxBz5fn(PUU1lCJfn`S~4(GzYeVJFDu?Z&Fb+Vzo3C#%8qM?Q*!kTdEI#1 zLM>@sYI3z=4Fz)lG1oP;p$3O&SynA(RncV8#>P+iirc-m)|Abto8cImMlPt{ez5qYBdQ9D{`sAY{Ow(IX7{o zuZx`qhTbR~G5(&-hO`=2lfPeou}=+hm6Y{t%n2P>m&|MzzhX|=g_l6-yQMzZa7~r@ zBtJqHsaa=C9BpV(Nxoe|tvVZ>rDV3|@vm_SaC$EY>)}{YFuck7t9&X~&4f?OAzGXe z3AaQFD}*^DI{uvs8$=cfkS)0_s{rMg99$4a;RFL>x5@t(M(m9vcFwVXHK2qyKy2kO zE0J-z7>tkZpdQJg@bV3!loF>VWhozQKt)>_)uV&l-^a-5UX!ekUV3^}J_nH|Van(Z z8C<1a6H=lIzzVoPqXM94z`zrdbzl7k4FYc+WaRZU1F%j!Y>0{gxgwI%rNB{S4NqX7 zn}IkBJbpVsScX-~6u8rWZXA%~7=clboV4lU5D8v6IP{nW89<`1$af8cYBAY9Z6-78+=I<-s_uk47UjK^sSNi#PmxwB4tc6Qp75c3F*Una2C7}Ix zHS&Fdl~rssw<;*|jvlZ5Y!kA%83!9iI;6dz!jV^IZ&#!cW%gB(Kf#0iWKbn03iFaz z^Wq9Oe5ENNvJb0&3R&T6P6!)aRh<(;YaY_{J!_ED1OvGaBha(c;0(}{*6eB>d`7UN ztMi_l{MP88_`U6T{QT*_)Sk8iTnQvt%|5Xm+t_vk$E@Kv_(Tro0A;s=bRE2hS_EYqpE^t`mOUUW;; z_-Shp3_t?@esgE{O*nU_&S(rhHU_FgIXL1kE+EPl`7aaR^6SQ5tCv;^xqmJJTiOD` z>lc6c5j>cGnny2P9`)dzWz|1+2SJFE$3rERh_8c~4fKHj?_$HTrDUkSQ~du;%)Y#7 z0QAKd-Eo20@)OM_DGuEz%#qfmDnTg`J+iFg|G;gbAwEt%7SIJSp2G|kDH=>zOTjMu ziprExlyoxe9Qql+!Oi-Sj%wL2V}|OH7_T;wnF76k1!CjYRsNpxS{A6xZ(h*p$KFb_ z*<4wjO>~~K9O3=N+o(fvXzn7Z!T%-J^p3gHj$BtD;z}L_ghwIh(N#v21CPxsSbR;I zO(OD$@B%*#BeKS(K#yQ9@uaaRih>BubBM^pCcQ&rfb~>ejf0ycATR1hgOsSOtK;Fw z8^p4I*`n__@ljI;@?NYQzCKu4ZAbxg_UBN6Tp|o<=MD7Tcpdm4s?qaf$?vW|@m`^> z^biZ>7_W8@1}3U|r$m4JLfj54CClC2UEcX4@>iFxp$PY&!_kt#-m9>y0jOaRg9f~cxf=i8c3%dKqPPCe}qxwd#4zx+fkTl zO_vDV#44Qa7Dg&j*c|G);cxin|NQU&*TQN4=YRkIm`U&kfe$1)KrLE60pHiBU(q2P zGGL+BL1-8ku}h2v2G@`TagUB-WJ1maUXCUZ)1Vt&hL%;z~7 zbtr6Xxh7^pGgIoAeo#Vn{-*w$hw=K<_S%}b00$U?O73~aZD~AYdstw6O;zARxtbn> z(a_U@YiBCB*AJc?ALC4F`V@!r^+1KQqm$mHlg{0J9`;Z(+7p<_*ctkxG7X^+k-u>o zd5=bZjb)D#?-!HxZ6$v-t!~D%DaAZ5d3k&kMQmd^3sdv&tmb%5`5t}$R@q1xccXK5 z0us)e0-J&VDIAOkly+s9X&)HWeh0KYh8uYd=x-SJ90;c2#NjU~x50$)pL$}jE&KM{8?-Iw9hY6cjH}I^`{tn$Y={lHh@*e-7L-#gyC4j89u+tk z^o@vu%!YStMMPs@Ey_q2!;C7R!Qa!LAubCYf~PM{>!GlDDVVgGWS;tTX@`*?4)BB+ zsarTjX1303#9cbr679LBaxtyRcyzNP0(3O{(fkbmW(ot9 zNa+X%+t?0wDx-gC(LNmZ&`yNbcElhm@s)sB9>+`sfJrMYLy=7oOZif9F1WE?k8{OS zDhD3{TiyiXJXrEzL>U}#CYUAd5i*m(#IT0euN+0seQ6j3z8&Tt3aHJ%u;Ob%!B&Cy z)7$snPr;DXj(PU!gJGZ6bmQ0Pcbmv?vwOBp&jUP@IM;ti1}gO2!a0d8nUK$YVw~CO zLNKr<5~|0WXI>-^*@eCH%gtf$5m_)3oeStAtA#8)z;iHj@}Kb-f&K+F<-d?|T+PFL zj&bx|)-m`LB%P2Q`WQbcauufTnXq5C)tRzBm}Mv_n2yR}Oc6}t2p@fAXrm;?XVeq zLMJP9vzCWq(J8)jw8Tc3>HuMs{p+v_7Q^EUi=`3N%GjzKU`WBLrctvHE`{5#nMjf~ zd|-bT-?yemq8B$oKuJdtI)A`|dc-q#F-IlIRvdkzua`DWZc^B5MvUip7V$VPHcbQVx(mI08%CeG!BVm>B1za$Wc zq*%BIvk1)G5f9`!1$veq@$vTQNCHm60ZPGcFPNRQ3@FI%+#^;y+QOHo7z%O_rbp(T zcL2<1?2b4?y+!Sa%+A^TI#laC*49Y-ZEUB=lU|6()qL75ZZL{M$B3>rs2M@sO>%$l z6~qFw3VQ(=-i*dwvL7B1?hSFGe+?s{NngEiSsjuEwL^+avaZ3xB0V9{CQ8OHNS2A@ zFQM&C=TbS)kXbP2v-sHv7&;wa6wOD(xnGFK^29IN^D^~KQ+^ZFkCHD zrc@#mTL4Sd>Aw(DGKQiFrpUcDJ(z#Ixm9c9opRivc~ZQ9!i6he1rUAE3wPR*TN>C6 zbdWC&NrTMe;&}>)D)%{s=hHQv5Jmn}+lk_vn5Am_!Q-i#^N=Vq9b&{OkpSW++O+N{ zV(ffnHlEpPVX+-}*1&rSJu-U)fOMs zP76a^VV|%%g6t~(B2leUTVG>-mvH#Bio6g&5_Su3$X!fnJVDT7!b6xK9ruu9qME!6 zYf39%z`*=alzuD$J}i|zv%o}px^ByrP*{Qp$Z{&Kk^Dlo~x zy!cMFBDx!Q(65l$;hxXw*4Ox7-M|+KFcCC?5Pb{ed`O zZQ_5nnA!vAvyD-AQld)<>2iicERRg+R!bsh(~$D+h4^5$kncRQNDY6%5KB)eILXQm zqR1ggrR1kXqhJg8aK>dCQi3%KpeGHw$IKCHap`NVPX~?>y;83&6``nb6!5#G4|`J& z_ASN0kZ=^b0G?m4P}*Mkdq;YR-whS`1?6+|mG$F0t;L;?5j4I=%?f#RjwTfgmQWY; zWgLu{lZsIARrpqAF=T(GmfjMOy&Uc?Q9y1XhnK(YoSsu|{Dd%~jRDKLZ6BoRIc0pCd7KAnH~&~Jg|2x|s*f$jlo?Vq=V8G)qhczXDfNR~_%^3K z70%1pUGT>#6Pr~f%WhsBBahsRTcjVzD28py^HfBS&cv3efL5Y27O*@>+s6uZnG>KO`kEv?S z-7E7qskw>FmY<>`h*!!$2F5M%urNRApzTP14RBiFYn|%=l@UsBoKb}pu95&$f1D7R zpO0fKE>G)Xt;3*KSg~q?=xq}3C^@bRyX+B$5|{g&kWYW*fIZ>Y)pKRO8%@NDT<5tR zX|bk6MEy4=M}!Rx27^eyRy;6iV9PRV%x+)KV>d&Mq-_K~4Mb>i31) z=M9(bPY@}an-o2zx7TG)yg|^NcprzDDzhgUO5hQ7I^)C#o;9Uo2afuHxkB~04vcVd zf!CTxCH;RG71bEnjR;hpPpoKxk4XzSC5|~gNz^KM1QR?As5m{Hs?MDbIQqtz902ek&w)b)mQpfbHbm+e36z9S?udH zj>eP*iV|liw?@_#3OXum-|T#?YU_w@=v*0f!Nh;Uf1uy1;R{54>Z6|;mnEfvdlN~4 zCQc}B$J@4`wQ(hw`MC+1nzCkQa7Xh8*T(xduS2d*Wlc6F{ znkyGL-GWUV8W|iE$13cRxfw-6QEk@nL`v{UF^bv^053bvRf#^M$nU6xH<%+y8FL9r zRBh~twrsPIY2~4nDGiSWscQEnwYwxHzYl+T0tOb$nXd86C|P=gsIU_Lk(N`8tXSK8 zm-NDQ0p7*njgP1x<=}eY`KQZ4IiwU604Wwu<*uUk=1w8{K4|t~X!|8hS)imTDEF2!x|bxN91u7N0y0~% zo~iInYcMWldZHrC!z_#n2u%2pPe|B8N~wiT>mjpU`gl?%3amm~(?HHfm3Vj)b4Cud zs0h9*F@A7>WJU=B5CJpV6Q`qLQyo=@ElJvFP!O`HXd;fYyWx}JcpMY@apzB(HZD}q z-hJu5X}e*NPTi9bc`pxJ`SVYBC8Nx26W2ozb+eOBc`N}YlY4m@ONz)exM4S@f@MRw zDOmB$n#!xM)Dmq6n6=914~I$TJy9-9ikESm^-NW^3UqE8=1MiuY2UZ89$m~wQ{mm2bAE#`&3=ILTO5T zH@q~!67ZMO8DStIvaV~ay-TxrG=g4hM4!i$qY2n7Nf!HjV*O_HOar1p>X&c`;_O7^aPquVj13N`9Rw_Rb9F+Nz0ZsMJ1y~~ymYfz z#yH5O+43_wNQ>)v#1;il{IA%L&E2elAB`?bAV?IHlzc%AeQesm<7*m~z4- zxakpMHWXy>6t2;07BF5z*e^L~y-0=v3cWQ7YPg$JW%hQ~;80SXu008 z>$^w-_0ETrcYPjPZ^oE5R7G!SS5LhnBB9CHO8G%>n6OM@P>Ge}PIY1Ji*+hm2+74I zH83{dgX4j$UBc^A!(a%Qs_}4)MH*XlJlekyCn!6p5=-WslQw=b0i%;?ekB1(laGEt8_I{jZCi!W zKe99?2D;5-%`}%ro-5kyV}bMhlj?p+EA+LhZE4{qzJRW!{NluqQoKW2ith(vRvjUP zc?I^@*9W{BN~8xJlw+jZ|E$t ztEvX5rD@l(Po~5PX1gImMJc_co=hx0#RRTc#C$C+bB{lDFv!*u&X0b+ zJbZU{e0h5I?tdO1UN~*L!EJMMdv~Y3-FSvYc~t^lAB(KsM3U;W=>@GDEB&=fYt;9f z0SbE{eW#i!RfAIM9;^6J!@g?p87H4Nke}*_4B@{}dZdJ?RnOlwbZ%;0` zShuP=_z{^R@St#6+<%mSZtPA|38e7!Wl>IDy@o z*s{jYCvT4~4`07OhlO0eJ$U0>hwk$6rDjIB$Ima%FFzcgou9mWe+wPjtu1LYM{kZ>1BuW?M;EptgJjK(n>@&VgQvD#+x|CSEAAkg9yH^N@QInv|T6ll}>mFy-N&c_KpPPYK#2Mdz^Uva!f4@ufQp^E8O21c~et!SM z@!`9-Kc4*by>%xoOvS&>srjWL*Nzq*?(*;i2F`!QW8Qi0MqH@)UvfnDxeP)6!K>?{ z*LXZ}N(4v-YgKT7??oEsf%9{p=6pMs#Wxj#gN+;A)y%EyreE6T=LV(uPD$_6J|_~0 zGW16zStehee<%O!p$7{+lp$WCHFKqk__=cqZ5CFYcW=!W4sYX+LAT)|h2dOS;iePC z<1SYRr+QLAPE;n_rYb7lY<>(TO+>}zcOwtw&x}}`nLon+h67bIVEvna<`?jL#i{Aj zRYzyR-MvrEKymTV3fH;6s6+X)ejwzk;kgA$?4Q~2f6%=36NUS$A(~p@c$b|hqP_RJY?c$WK!NoTx`y-)OW>U%h+#pZlJ}J{DLY!!GG^Q$>8{fRX!bt!9Py zS|D4WTiE&nKP>-i_Wx1lm?8gfZML`a^8e=U-ctU5iqA8={3qqf&W@w3;chtF9smpX7PUc&#S74 zGgk3QL-KUg`MW4tMNiVxn0&fc2`x^wK!xMb567+Np~#!7H}d8N%0}oaFnqV>qer7FxH__x#oP65(K8UmX8r0H`?W$ zhQpfXs%CNn%~pTB2x?=Np)0jxJU-eUq)av*fW26I0an!`E-4x$xg^7kqp&8@I;Oj( zLU12nQmj_7VCMzU^fX4dqnq=|@RFs_j?~a|?l%s6UjaAoRl9YvP-IwnYy5 zRqMd#gZ}dnUh|j5C78IQxO!J)12XBH^@kdRPF9Ny4t~fQ-P%~RNIzq8s9Bl{EycY} zP3uh@g^TDWA`w>2l^_;WafSLK)?aSY@v1R}CaEPfyL-8x5z^kYw}!`yqzz-Td**xe zOur(C;G6*rjxN?ttAQ@uNhpl6lPr3_4V_t_I!+jb&vu*T43gEv!(JEJ95U{BfeE&@ z^V_{x^@i6;2YL191Z#Ym7;-q;SrD|1v;x6(m`)9pm#&z}UofV(arC{_6Rc zBw%%8-QWgLzV1DNbced~y}7j9cs`!}T*T0~zYSiP66`s9Jwlu*T-cn3_?x?_&?kw7 zdako5Rs<(SH&vuV7ex6(kq-pF1N?|z`pA}}MFKLVc7dezGG1C&T$6W*c(AZ%g9+~P z(g&db!Xx{`qE~vd4b%$fCWw^F*$#qD>E)ra5wEOcDzvRT#MJa-7M8NSvG996Flbo)@`b!Cjvuupe2Y8I5z03!jRQ->*J+^N9|eOY43Li;zIa6PQwWZ?3Hv z>VDrBei-ikOqq3vcU2htJfECg&l2qWYzKVs_4)0ex;h&=+v^6tlr`J+67-u_i!~rZ zC?yOKV5>xq`zn-WP;Vecb7#-U-?lZW-*tC&U9-b6amx= z-(Kd=dJnTCniKV8)$w`f4To8=gpJDV-hG}UJpU-`?hsRO&tvaTgkCEpzD`O7TLK^H z#YCkJf``2s4i|8yznSybyxLq@6h)gdzjP&Y1o8vj4 z>;~NdgrC#s^9dp2g|`Dr@G^ITEQsb88XhH zsua)!67?GAdO6JDZ$cnW4!c$YFdJLRy7} zZ_-AE@10n_dtbU5iL#}`Y?>cDsY|UP_ygcG)>uW-CVW3cU36tZ4%4X0+Qqdbf-!=pWA*Yew-kgQjvvh0lCM8zHg+15VS( z{`JP@`vPrEK8Ote-f#^G9{G~Lh#ZbV2ti5MmEUyuS{aA2=fvLNV?&Z=Tkke*i+=d(T^&~CY>Bi4Zc*f~{-CB@_9(9&6fnhTDTZ{_A z!T&+@CcSQlIzJXmtqf_(N&PS;eFp+AhYLEh~aexIa30ZV+33#co@S zH%vEVA|)ejT%|R9&8cF%$SAr77zG2|!w!4rge(9*qWi*BA)>))a>A#|+AQYavFY9R z7M7Yw>5Wkus1N@yF#&e6YpXBO2E{<)k0hO~-KR<3e7GwCc zEu1~ZH31Xs=K86(WO5hB1GaHA^qI(gD|$9f4mtCk z>4if)6%Q^xkQ@fu64W2`$-=NCd2ma!vL0}gko2-aNe%tRujILLZHwA4d^ddr)vWwu zi3O9&u02c`YVo1HZw=YS@-u%Wq-Ll_Njp3_cwZTkW^-AJo(C5iR=tR9Tp1=GL z@vgN%Ec8uKG&J&0zHbM4Y+(STt)K7mOrlAepCa`QPIV;*i*&()&=nqP1IJ`2FFEk% z6k+W#M?r$%mwHz2?Yuv4$6n(V7!%Gt^qNlRQ3LM-g>9Cpc0-iuQ|o4R+b!SUW1?6B z18!RUw#7($aoWByb4Jn5=xM2ed^PAG)3X+ zZTT80OrRiSLZ~<9!#7u%ZQDBu^#jc;&p}5M#4BAlxMOd*ep}WjZzN`ec3CoM_m1CK32pMWExNRc~E z#$05V;(^unE$8gO;Kjd73>;S=a1Xj_?ZS*Z@5|#juVzw5Wxc__(uo?&zW71BQPALk z&Mp|Sh;XX42R6&GILiDoMx@Z50J`!iDvCm?AY6mc7OMbbUpA#CriG8h%ae3OFf^$k z|MZ*JPPeTUmz1ni_F%y+4FDt6pfZAuXY|2)v%>6^E1l&f+x7Jz_|<`_xpqLbP#*oQ z+Pc=uGv0!|YgtGao%owNow!XIHBm!YpE`9#F7;>YdAU)DWE~RSSWRI__+zY&1ePp4 zmG9eHKx0Q=S+^46aqO3LaL27-|9$e!H~UqeO)auPAC0M9hGnQ5xJ~kh+-8}4+Xk<< z@%3|iMm6k1r#qJ3J*822b=*B;xN1jt3xWLU8MAAEP)gS5RwL{)`#|~1)ij){%+Ds= z3R^#4;=^5P?%#K;Gv@W$m^ilUyQBMG)t|E5AI~YTD@nvDQzYzobF6;rs?z<`p6(wB zxmt*Mq3v0MfVrm41|hVV;4D$7vW|7oMxSb$`_5`^O!ukwxXoH>mk`A6-8%)3;`hel zj;wA^i%y9#nV2^kBB6AL>sVZwdzfQ^gUzLHDsMVv7NFzzL$hAd5a;px*4{@Lu~0`o>M zT|)&-F5?N!zU80KoteK=B#*FLh9HwMY?D4U73O?UB|uYn=^}9Fk2fdmI1Bn6Ae=cd^&S%?%9u8MQKnE5I;=!MTiL!H_5Zk0l^w06@y{Jrl0PRgwB zw}p{qN)`_=r}nxoi+#NdWc+j8HLs5x6Y~6aRdMWtag3zE$&*h(~F@Z>i z-Kr;*>&GRb#9UaIPTQ{?y%#n0+tUO zuZ&mhEu6my^B;d@sR|HMK<6%4B%3j;G9-^tHxvC7*owq_nBtW4yNs5pA=dZFxVc>3lv{$X3$U5TjK5Rq>ZhHxz zZKniy5EVaN`u$Wqah7psy-acw1Pag0PNds$2iGz5qUUCXNP&=UKg3nH$qedZre8nx z<}Sb*p}1-iaZ zU5~$2Xj&|NE(H{F~Na&}!faPd@;vh2v zqJMg9MBlF>Ui3pAr2{mfoWBosBh|NtFcUjg@5^D^cKFqN?`U1(UiL(s9*2E-bqO7g z8VGCt4oQ^95cs0b*g?KPsk1KPodpfrG_n(qZIWc`?HLd<6rLMbV<+Xy{ zXkxvROU%w3LvOll+82!HMbsLT0G|zy#F+CJh-ovF!0qVt47-HKJNIGcHgq`BR&X?f z7}r1t@orQ($dJU@l5~!D8X{W`6VdrCPw#(F6!z{XLPdho57W8f6m`k?=UYvdFOlDKhukH(bxe5y&0fF3t&p!OS2ah$qb&`_9JSH(ky& z65-!tMH!Z3?_TadVE9{c0Kng~RC(H)MjL9qb?9zev3S6&P+sZBqm9C>44Mm~=G6qz zNZpV+QK@+B@>~K=5EimfT-3PFT8_noc}Gtm5f$hL12Kb#$9HAa_yIr@D3eq5ZVsEE z&5ZtroEE}-l=u$^5VQYSJ{;$58yb3~mpQSJ$_6fR^;j~gv>MtR7^~rw| zhWdIG*UQNRBV{HGjsh}?Lmpl%WYgiF5f>a4Ro(alf7e?FZzk2;_kZrJ?B+( zfza0GK&%|Vr`vtNKYrG#3bO@%A5Vht90Sa#tys=bw0GbrrqAtJT; zDyAN!Z1UjX8NzWQjiiYcOie-H*xgTXglpVL!rKeL;HRw{r##ZSq>Q9I#%;$pINhvn zfs1RQY)0P(fmIk?k@yvQ&)}FAgJJAbzsH^>BHr8#W6&byjv z8#)P*jjg^9{Czom7L-_LsDN?vzOr%tgze%>4_F@VU94rotEO1+-dv4OHw3MV^^t)x z>fr=N?J7L=L>8|_*RS1}bjXt<74aDF^3_zs2V3ya> z?Ssp@_S6W#czrGTmH40yO~Vfmh>*&V;tbH-tUIrI*|@`;37vD1N4ht$JW`7t1Dp(W_SMb3@5JVvQU;^+PR}&cI^Vx z6!Mh4_HV2xou(o8-f6gUuclfrZoBQIc}{j;Qw-APu69ZxIi}yDYZH|_opwc)+%1;# zDE)4pMXeUcv@anE2H5X#x_pprIw{S9rQOVIPvY8ojQSpdBj(u&$5RiCuNEp>YJV((5GRV6*ixlYHrZmrseCqYLS+o-(x4e&ynptK#RBzOqtc3>6oZ@cXI~6<76B zD8Yi6TREw_kLUI_h~|`cGKYZMBH!xy!}qnzqxFWg-8J2D&i6alARBw3XscM0)58fDo#N?bNL;x#(V~CSOXI>pbmz26AbDep5GTI+MR0cY%R_8RvG-@@tW44Oo zvcDRetGG5)SM8Zz2={YrOEj>K*Z3sLEktb2Z7IUhsk3TSOHOXX;0j3TuE zOt(DLF{Vu$HQWUL5XR;7fJEChs+{bAXRaZbb8Mm;v0-S0!2_wgbMrl$B8PF`p*SFA z@*(kaEeV%|81+^AV?O&mSE9kVE((qs+SegGLnwcA&hK)+Y(BIaxMCMc^9sz&#mDB~ zO|l%NWOKhebPMqvHV$%C^zuv&d@qWrPi@~L?I8Xp7*_(5#r2l=2mZu0LJVcYd5MbH zxsQvH;PR`{h5>-h;2&DS)|r<&Cc_5AzzpR>=Hh~b1b;HlA)9bOx>}_)zXfohJa9Bv zc+IW9Xy1ecKZ zCu1V8L4Q3Wm_MQL9jM3uK>M(Q88an@m^<%%#`~i4AOIPgXqyb+VS4B*BlvH%Mof6f zOp+#rW-n?qlju}Vgcm(c$R0scuV)!hFyKxq1YM0MufeJuMAA0NNx{;%I=$&s1X z(vQqbo3EW9Hzkquv=F4ZoFow%p}f*|F{qG3;BMn?!{<`hzNJ(T_f1VdjRdh5yn#oe zr`dbBFT`c<>2jh+CLy{r3c|=zduzih)xxH`lJ|_d zdUbN~^nE^Ae;(|zob}lsPTg?#JcjNhvZ<#Y!;D%S^9J4VrOZ};5(5{32feo;EEspr<|;RS<)t}Uu@Duf_qmwd-4r{2B6_9{s=ZCFW&!uY4a zcH;CTnEgKmFMF#5r5_2s5{2nFt}QWA*L7KpqXx`T4}q4vKRB8Jq*rCHu3kLGBzhRH z>u!XvJ3xjF>tqrbWqgoke8MTzQ1p1X$jh3sA#UiXVbM*!iGUX}jAgRl$f!n)6lD3- zz0_s5ziqxX{E|t7MYua9NIc&FY>=;dyaO9|Sgfm}0&zOex{|?0spjQBgJG=f#_-fw z`ENkTC-B1zO$8l*-MojRkX{3#h9x5oH|3tFYsY zP=kY8gy%gZg@>1>k}o?(rT0>+AMgPcBh64A1?;$_{*f}Ep%A*$L+5Ru!*<2*=1gmE zOVh(GIpYY-#-#SG+u~+{{@E@wYD~37M2V|j^zM4QOQCz#Yg|ccRyAj2fQwlR3_(T}>(3If9u$T#iH6sFDBZj)>fqXimyzc2Iu`wo3 z1j0F)1^ZiklIT6FTF2@)A(&hCbDIwB>1I#vc4R5kR~EnTPpDTN3#@_fk1Ghle+?uCD!T zIxS{E6k1`0`&T$rM=ZKrTAXG{iU`(G42=7uM9)~V;Y&vGqsrPUOY8qkdi>>o@a`S; z;TT{bdNOde+I{2fx&nRNisNg439dgL=p9Zf)O40!g+GHpKDBnk)vEtO(9s zS_C4_G81%bS}f3ddZV_5*#Q~GQ>GkKqwL2pValkvhT6ee$kWGni8BS1x|N_KJ0L)? z9nlW4pA!Lk#n#+hv&FhmwePCbWs6+cw2L$OwN9yW-TN37b(&&I{FCCRG8}bj8u70r zdL{IAxhKigtmR)?+_J<)0;&Y2hgjJ6;`H=OYS$=?(L;V(wu&Ne zXAy5CP99WbrC5T?5II#|qD$7+=RlA^h!RJ!3RBCglJN{!w_UM@%uSnj%FWkn|3;R+fCjhw~viGSu zp$Im7<=_bsWsJ4=?v`XZgZLeMw`i}e_xDWsuQobGgGf)h$#xWHT{e2v7+G7Q7e>x+ zHATtHs_L$N_wzco0sPy-O-v#kM;J@7t$DLk^*@3`$g2DL$ajJh=?Wu!<>lk$<+)K4 zvecmmomIXw4|!cFt(02}$N^?BTPo<`8~r>f95XEx62>^=*b>-lDpbC69g}kbSZ{P} znQY_d(6W@&-JChRCtAP2>u?jS+9V}VV*A0~13w6nP2D#tNc3&#ht^qx zWTDz45uW@l`>FIsnnBerfYrH_25R36oKjTFo_QO%KPY1og} zY0%}#fF?9X5y+dX1ue}hRtAM|^E=KeYEo{vCNea0LO&V#;qHHdRRlup*H9+|fQkY7 z=?1;L@`)Y`H-Ln57Im4j)!02f6o5{I(hLj?RFtDSTnL|r8`#gl+>qOif z2axNUF~cvJy9P~-a^;obF1LkSp74z^1+uVm35AITdub0|j;AV!y*Z@9j_|R3{Vyo! zZ?vM@Pt6g!JBFW#3@w5lC^8e|eZCmlf`1t4hh@xV>NPr!d2{A%&x{vG)ZP8kNmM zH5kT9#P~$mcHGnJ^EWvqcKSupRdwT?{}@gYhS0oB9;R^S#&W_$E8o+CaXGZck>&pN zT@QvRs#CqZ!~Cg}`sZ} zPe&4|jMP#QGY;Hl*5ixt{ptlQ4;ncHK+N|f?1>*>%sM9;KNWVsXXzLw3<;u3VUtxM zNl$3SQyMv-rMVDuGhGa$tD+GRQxGb{*fN4V!(KQ!7-#vgQGru6+U&c5b(V-Wp{f8+ z5B;&GAMQ^QW*{clj;p7~6b6^j{z>3=p6Ab%eI$$cU*24F?h zP--}3MeECAZE&UEhLMohU5pJaZJp84bqswlM`7hS^nRt9Nl}(+1?MPmCE&qdlYU^3 zVM+0;_K|O~Kf@Y+!ux_(Wb*)Pp11{9|yec%6^{bb1zW|#rjoQV6_8v!T<5C(GDSc1P z{KE+!M`6Yurs1$IX}Ko0rk&LZ>Jw#F%LWwR6|$2xPS@6iGv6R2f#+L-)dTXw z+cyx?WR3AaJf>^oEkDxqEFA`AB|EI{caggEl*fV|>nG%04NzlO!r@YX-1u(Z`dzu2 z0N1FkW>;U(l)kYop6KoJtKX5!2qljy(t25lN_7rTRX5_7VPwCH)rZNT7;S0xS4KNn zGWA>$n8#xeociDYCkzM>8)XxIy4_qYuv5Fpr?0pNppx zDEPPkFE-d^Hp_^gc{%-KT1Hkz)!k02WB`UlL>vr7y4vw%%Ik&fgEVx9!&T8@He z`0A|)-tCCGGU`Vwba!qfd*;O8e((17_4D&SFg^TP_SaVb)Tbg5J;P|k(?|%yzL1Vj zh69O@tkfLoF^Gm-E=K*Bb_)c$a(^dC%`G9hhQJWQexUv54}yW;Mwra+-31WWsrU3; zD=Q&*&Lp+$>0`V#w9(OK*QW&qNl3np9^09`uVCS^1Mqi`+ngQO()1O);TB)59Hqra zU_xJ|G!p5dN1X2BIAZ$a&l$;L>QVldbu4Aw6dxHcG2;buo`#M~^^suW;O8+i8S)66 zwcO8jk%3i>u-b7@ZoR^fIBn)S{86jSxa!RLGbEG&@wmjdq}?hNsikpEu=d~J7g~h% zVUg~AItAUv=a63A#J^IE%BnzV`6-?y0oAvk%6Ex`N(*dV`KD-^u|8V2R&EQhDLM3N zvTleCn61A=U|t?r1JMtn#aT4oK7`ii#h5>2SdrL=TRc?2yNOO8p@%qda-Pg3#F_F* z0giFc5N4|EZJmYrF;0K88`t(`D#U@38aYAqTHyo}4zO|2@RgXAqsLje4{&cuptTw# z3nlUJ5BCUHS6x@DeM<~a-8r~ol6!p%y7cSD;C2}&%qi}l=4J`CW~`s$V~0X*`-An~K>}#29cP`wJfqY5!5eJ4cs@e*0f;Oo@-LOY z=GBB=*Ir%%MX#BrfDS0ApzCLkK1F{~zEDvO$l#7oEgqARl1AK;1!Ta@MX@(@r5?AmHQAsRVX8e+5X_?PY<~0z;y1{TH++Lw zc0q+$6UQH@8GR9x%G`ll(r^dXn62BN$&A4c4b3V$wx#(ws!PEQXM6U&YFvVKj|a?I zcICKnqCzt_e_i}!`uB8L_xju8?qQ89B@unUc2!~LRHdj*6nC=y0U+48mrC3uSxp0-n3RGI}=Qf(|E5 z0?Jj_6Wet(jl~L#Q402|`<0t}s3bIN2G1q)_FV5K0@ zOmDPwY&LhIHM8;x^2g7ypAr2w zeR*{{N_J(?yHU8}N08+F?$}N=l%nuP9eS_cnKL(8_aQ&Em|1?1{Bt@CO|N#Q{9>(N zC5fhwW~^O_NCT2^R6a}v&a!en!y!j2E((Smy6i&9!S4!s)U9UX>0clHc}$v%Quc?| zL(D}*%8Tr%QOuR0`LIqHHBI20)a3b2WiXr-sw2}+oFps65Z!9%zitTL()DOavFE|W z$AZfz*Iv@)5+ zERTn4-Yk=oVY5}RiF8-M_g2Sw#B{i7Li!rJuhO^kK5?MRwt#!Lm?zzMIzz!PA>DK!(SCJr`K9mmKC%*NhP1}s z-2rw!=UaPT;&-w>Q31p~O7FCj8*SR9e;RNAo`=;fnKZi||?8#wC1 z>e)gTKbv;b+cNL^rO58gd9msYEOXGJXMlthPqTQ>Jv#vo2MPMxE6kmUU?*z2`*D^B z@7-V;9?AKtZSG*y%EB&N#KBPH-ONa1(u_14JU|RtbDvE#0>cpQgPn+-rU1M|0_uic zufVjJf-#A)2y({}o>H33X8^^7g&hR7#NBi z)cxys%t5YhwTfZLs9Y4ZYOPvBlI{IpB?;e$lh?z=`r!Uxdrs`8VKxD4zwEg&$^@y; zPfDMyJc_H!mBs1l@n^|{AbsS15{5TjZ~F|;w6tHczdKn`^f^4 z>bUX`+L@k^xJ8(Qq_i9*Pk>93((AS&ag)-&MEGra9j!OQLGgST1&cR~@$rc9s6CL~ zU>%#!R`yg46)4i$5{;cr>mXm{oLGD;>ucYxVj{Mbtlra+r}|^3jCr>FqHDgTG|tRK z$}P5|`EasEy=55}=50JnT}xjGLut(h>l$6!9?go5+X~YOzaLL+ML-M;h1UW~ibQBa zj~<$^g4dtUQY9&#|_ zWGy8{@GR5Zp;f7Lh+&=2Cp2-Ae9$&ZVewZVk8gGVdlnqcEie<548qp!0jm7I*D*+Lv5&(Uus=$S}a5pbE@2FEx z&K7>Y90C8abY&K~_5o*=m`0l_f2SPNdM8mli}T3!iL;pQl;Tcq4wAApVmT+%f`039 z6dy5k886a}vx$-8%d5|Is4dwRSNxVfB5M#BL7>gZ#gRMs$_6FrV4sYy+GK3_dPkyy zl&)|1^8#H4G=RSDU)?^-xx|>J-UI6ynsDyS?8hSc;6@e? z9}KftgEUkB@`B6^@PfUhh@1Q?h(uoiR$;xCF=oOJAp!TSGT zBf7aHjG+xm&^?FNWDJxck6uCa(J-ax_bZp|V;++-B8y1td(h{CmmKDUgS}4fL7#p< z5qWIs<~m5v7&=0gOw!dlJ3zNEa4 zo^z9%8DJ@STMgnKuBbwb{T9_*&lYQo4SBvoHIE%D)~YsZm{YR1?v#j9#3vs8JAfNx z>oxB|bef7hAXcU`GwGKKu4;6Wk1Jp5D*RwI%Suf(u7U*noPHz21Y6~-q7}BgtF*4& zt!vmDI^~JkyTA>8!DZ)IvnB15-8dw21x?fz1b~O3Y_QfiLL0#NN2d#P<>Vh#vo`7@N&gUawML@~)}3?O z40K&y&QDav`h3cXBMkS(4AQK@gsJf)AtZgh-n5NK&Zac=$iYS)4PW_-JjHF*b<#A> z4#3Stze)!)hVikaB*_RD(Z(Ol$tJsK#?zWs;e#G75t6n_97Ua~M3*+u)s_6!$;+kf z(`8tphIsf**_8GI*SV&(wX=PGVe9F;_v#SBmV3irkj)se>8_|l% z93LV2B!KZ&MJMQP{|Sdm*rXsEgtV^l5jqw~FAGttzyjTZKRaIX646_tI)cl6)d7dZ zNOxEmC2ykXc5=RS;BMP5%Up1w11y(Nfd0jhyaUS-<6kSNOQK>6=cM=-m5?hwJGic) z1nNLJnvsT8Lf>qcIX;T#Ms@sRy&O&kH=`Fi8ENaXG7pEx*?Qnu=n2JVFr7*!e3&D) z`emhFwI6f;-DsRlt5WBL6z~UvNCS^=1tCB%^VAgrS)sz%B@@4Z*A2HK6&M4*T5P8} zO(#+~=~VJCOPIaD*QKhFkV?nYx5z@U4I2xJvVc0@FFzMxaAD@w5%N`D(tz=$%g3Si zsZhda>l5Jnrm#L*m!STaXP;M2M+`L*r#mINuIAF6a?4J6_aJET>48RpUq*^ye$II0*b(j+J15 zC!KIvdHhByu|9+P*WJ>{nLLBx0wwFwiUd=4uQPYWk#PFzcHA{NGJSKioYHy+%}X27 z{sIB;AA~p%h#ch<1uo_y2FVZcV{#X_T@W!T6*e=661*fQ9SK>ky!b}G55AcRln!dj z6GrR~e{-^5k_S3?N~ptJ#s+x=8T!IS+mzhYWp(CL@fR9b;)~Cu2gh9J&U2GA|+wK(U--zCF!>+yVNFGqo*79Vs(qO)unv-Oy})JLvYEr{FLbFXO&x zPwm|u5>%#_3dmY2Xpnr0`!RHF{9K39oi-mbQV^0BpDf@ z=aZ>z2PR!iJ5fp#Lv&Rw=e$gCN^_&-zXb$@Mez{?Ik#|(I(c~t=gPH6uGx#IDU+#U z^U_pr9`T;CT$>eaTgQU0oefRIY#?+&kxKMg^PS*bPh6xZF{7VTJ5G#jGb)mqy@#gD zy;&>LfP4WB?LjmSTuY<4mt?g4V|>DN{33$KD7O9aB(%6{6+(9LKXNoF7r8Mg*8*~) z-Yzd6}7Or!5g znQY7NceE)>6?nn-Q5uDJu7Ru!#^ndKblQatK+w&rp-7hu0cQ?tJ%=R)SLGOuY96{(7stMJ>QlPO-ddaTe%5X&HZY+VY#fj&#Ul%QxM-TK zz~Aj}g*&d<&FS5a;;SC(jp;WGB?l7>&9$GX(b127#PFOVe9GoXwiE{EuVSnd->PWa z15_$h4cSj)wZB{F+S=$<(SkE94i-CQCfKOUt32-p$@P2k8e@f>UL($R;D-~GFlWw% zmdI$l?eRgpL0~&BqH%05?#(3+=RCqm03L6VCLF2T@;S1}BxHn&ogf*qSzWW1vZk>| z3d}c-H<~!{o1PXf-)Sgypk2eihD=$td7 zMEms|YSH=%*Ibk2?O4v#vd%f(cBt7g_od2)-4f68ai0h6ZZ&N!r27x=4R^ z@zm9yxdSCb{@OMT@X0H8}9u0qn=%;f)6aF&MPtr)Z{@$gX_}L3Jq_V<+OL=r(d0 zgLY!GWQuqQhJI)er=@&Gsmv-54tnb&8`WVBMAqvbj3)$RT@}1y4xJ8#B?hR{g1n(v|#tN1}y3cvEGRv0{mZ@!S8BRCw3{GTrpq< z@!w~sZ{mp#?n=sj6FB4Hr%r79D~_7MzVzJkhXqpjh|5NcTs@RQ0kr<+k{MR=%)B~0 zgr!6b)ub6mQO4z_xG+;tVjiPQbj5w!8Zr#OB=ul9<_j6>N(zMC5V7z&M-TJQ{A&7s z3w>LF!S#Y*pP$hrS=lU*qf%7mlmtnY@n8zXeMBG+XKLJ-8X5{fsXzuy6m%;y^T`xm z8^BfA2`nE_xAOozfU|!xfyt|DHZfm`&>0B-l`u~K=F|L5 f!yAL}`1JpNu>K$Jye&MveS)UB=|h05K!E%|?|GgJ diff --git a/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch b/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch similarity index 100% rename from hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch rename to hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch diff --git a/hashicorp-vault/local-patches/0001-patch-server-route.patch b/hashicorp-vault/local-patches/0001-patch-server-route.patch deleted file mode 100644 index edc22c5..0000000 --- a/hashicorp-vault/local-patches/0001-patch-server-route.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up vault/values.yaml.orig vault/values.yaml ---- vault/values.yaml.orig 2022-09-05 20:42:02.468428184 +0200 -+++ vault/values.yaml 2022-09-05 20:42:05.218435871 +0200 -@@ -406,7 +406,8 @@ server: - - labels: {} - annotations: {} -- host: chart-example.local -+ #host: chart-example.local -+ host: null - # tls will be passed directly to the route's TLS config, which - # can be used to configure other termination methods that terminate - # TLS at the router -diff -up vault/values.schema.json.orig vault/values.schema.json ---- vault/values.schema.json.orig 2022-09-11 21:00:34.834334961 +0200 -+++ vault/values.schema.json 2022-09-11 21:00:57.190368032 +0200 -@@ -838,7 +838,10 @@ - "type": "boolean" - }, - "host": { -- "type": "string" -+ "type": [ -+ "null", -+ "string" -+ ] - }, - "labels": { - "type": "object" diff --git a/hashicorp-vault/update-helm-dependency.sh b/hashicorp-vault/update-helm-dependency.sh index 76e4ac1..2551d88 100755 --- a/hashicorp-vault/update-helm-dependency.sh +++ b/hashicorp-vault/update-helm-dependency.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eu +set -eu -o pipefail # Get the version of the dependency and then unquote it TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') From aa72a78bf7d411a2636cd4b0070d90cd68c92004 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 23 Jan 2024 16:15:50 +0100 Subject: [PATCH 04/64] Do check for remote existance all the time MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit At the time we disabled the `validate-origin` target when running from inside the container as it apparently caused issues for some folks. I think now that we run as the user inside the container, the chances of this not working are reduced, so let's reenable this. Tested as follows: ❯ ./pattern.sh make TARGET_ORIGIN=upstream validate-origin Checking repository: https://github.com/hybrid-cloud-patterns/multicloud-gitops - branch 'nonexisting': NOT FOUND make: *** [Makefile:12: validate-origin] Error 2 ❯ ./pattern.sh make TARGET_ORIGIN=upstream validate-origin Checking repository: https://github.com/hybrid-cloud-patterns/multicloud-gitops - branch 'main': OK ❯ ./pattern.sh make validate-origin Checking repository: https://github.com/mbaldessari/multicloud-gitops.git - branch 'main': OK ❯ ./pattern.sh make validate-origin Checking repository: https://github.com/mbaldessari/multicloud-gitops.git - branch 'nonexisting': NOT FOUND make: *** [Makefile:12: validate-origin] Error 2 --- Makefile | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index d07ca5c..50f886e 100644 --- a/Makefile +++ b/Makefile @@ -99,14 +99,9 @@ load-iib: ## CI target to install Index Image Bundles .PHONY: validate-origin validate-origin: ## verify the git origin is available @echo "Checking repository:" - @echo -n " $(TARGET_REPO) - branch $(TARGET_BRANCH): " - @if [ ! -f /run/.containerenv ]; then\ - git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\ - echo "OK" ||\ - (echo "NOT FOUND"; exit 1);\ - else\ - echo "Running inside a container: Skipping git ssh checks";\ - fi + @echo -n " $(TARGET_REPO) - branch '$(TARGET_BRANCH)': " + @git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\ + echo "OK" || (echo "NOT FOUND"; exit 1) .PHONY: validate-cluster validate-cluster: ## Do some cluster validations before installing From 05c51c1556663bd1672d666b2a4594ea97ddb99e Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 23 Jan 2024 16:30:44 +0100 Subject: [PATCH 05/64] Run validate-prereq only when not in a container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There is no point in testing the requirements when we use the container, as we guarantee that those exist in there. Tested as follows: ❯ make validate-prereq make -f common/Makefile validate-prereq make[1]: Entering directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' Checking prerequisites: Check for 'git helm oc ansible': OK Check for python-kubernetes: OK Check for kubernetes.core collection: OK make[1]: Leaving directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' ❯ ./pattern.sh make validate-prereq make -f common/Makefile validate-prereq make[1]: Entering directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' Skipping prerequisites check as we're running inside a container make[1]: Leaving directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' --- Makefile | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 50f886e..f7a2d5a 100644 --- a/Makefile +++ b/Makefile @@ -125,15 +125,19 @@ validate-schema: ## validates values files against schema in common/clustergroup .PHONY: validate-prereq validate-prereq: ## verify pre-requisites - @echo "Checking prerequisites:" - @for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done - @echo " Check for '$(EXECUTABLES)': OK" - @echo -n " Check for python-kubernetes: " - @if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi - @echo "OK" - @echo -n " Check for kubernetes.core collection: " - @if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi - @echo "OK" + @if [ ! -f /run/.containerenv ]; then\ + echo "Checking prerequisites:";\ + for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done;\ + echo " Check for '$(EXECUTABLES)': OK";\ + echo -n " Check for python-kubernetes: ";\ + if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\ + echo "OK";\ + echo -n " Check for kubernetes.core collection: ";\ + if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\ + echo "OK";\ + else\ + echo "Skipping prerequisites check as we're running inside a container";\ + fi .PHONY: argo-healthcheck argo-healthcheck: ## Checks if all argo applications are synced From b4eb4d999970a44c0904eb1e5d8e54c371a05b65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jan 2024 19:55:26 +0000 Subject: [PATCH 06/64] Bump dorny/paths-filter from 2 to 3 Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 2 to 3. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](https://github.com/dorny/paths-filter/compare/v2...v3) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/chart-branches.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-branches.yml b/.github/workflows/chart-branches.yml index d93b1db..1a4fb45 100644 --- a/.github/workflows/chart-branches.yml +++ b/.github/workflows/chart-branches.yml @@ -32,7 +32,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@v3 id: filter with: filters: | From 4023800aa9a13e148649ea0e459180637269515e Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Mon, 4 Dec 2023 14:23:03 -0600 Subject: [PATCH 07/64] Add support for parsing secrets into intermediate structure and creating k8s secret objects Ensure only push_secrets runs from vault_utils Update makefile - remove extra targets and make fix none Revert version bump as we only add fields Conditionalize check change output Start module to load parsed secrets into vault New machinery for vault secrets loading Make the linters pass again Inject policies Add some more code to test readiness to load Correct typo Add vault_hub Add vaultMount Rename new modules to v2 Update inject_field method Correct field typo Temporarily print command Add more logic Hopefully fix secret loading issue with counter Count per secret Pick stuff out of secret that we need Fix lint issue Refactor tests to use fixture constants Correctly spell exclusion for ansible-lint Provide a target to exercise legacy code path Add error exists for missing args and update docs Reverse test for override Also process base64 for generated secrets Be more explicit about what we load Test framework for loading parsed_secret data Fix linting errors Finish test suite Last linter stuff Change schema; code and tests to follow Add target_namespaces phase 1 more passing, but some still fail Passing again All pass Check the correct variable in golang-external-secrets chart Update YAML parsing to do decodes right Add tests and tighten up code for retrieving block yaml quotes Add test for kubernetes secret object and block yaml --- .ansible-lint | 3 + .gitignore | 1 + Makefile | 30 +- ansible/playbooks/k8s_secrets/k8s_secrets.yml | 9 + .../process_secrets/display_secrets_info.yml | 29 + .../process_secrets/process_secrets.yml | 50 + ansible/playbooks/vault/vault.yaml | 2 + .../module_utils/load_secrets_common.py | 20 + .../plugins/module_utils/parse_secrets_v2.py | 527 ++++++++++ ansible/plugins/modules/parse_secrets_info.py | 149 +++ .../modules/vault_load_parsed_secrets.py | 302 ++++++ .../roles/cluster_pre_check/defaults/main.yml | 3 + .../tasks/main.yml} | 0 ansible/roles/find_vp_secrets/tasks/main.yml | 87 ++ .../roles/k8s_secret_utils/defaults/main.yml | 2 + .../tasks/inject_k8s_secret.yml | 15 + .../tasks/inject_k8s_secrets.yml | 5 + ansible/roles/k8s_secret_utils/tasks/main.yml | 6 + .../k8s_secret_utils/tasks/parse_secrets.yml | 12 + .../tasks/push_parsed_secrets.yaml | 43 + .../roles/vault_utils/tasks/push_secrets.yaml | 2 - .../roles/vault_utils/tasks/vault_init.yaml | 2 - .../vault_utils/tasks/vault_secrets_init.yaml | 3 - .../vault_utils/tasks/vault_spokes_init.yaml | 3 - .../roles/vault_utils/tasks/vault_unseal.yaml | 2 - .../vault_utils/values-secrets.v2.schema.json | 32 +- ansible/tests/unit/test_parse_secrets.py | 981 ++++++++++++++++++ .../tests/unit/test_util_datastructures.py | 205 ++++ .../unit/test_vault_load_parsed_secrets.py | 320 ++++++ ansible/tests/unit/v2/test-file-contents | 1 + ansible/tests/unit/v2/test-file-contents.b64 | 1 + .../v2/values-secret-v2-base-k8s-backend.yaml | 9 + .../values-secret-v2-base-none-backend.yaml | 11 + ...values-secret-v2-base-unknown-backend.yaml | 9 + .../v2/values-secret-v2-block-yamlstring.yaml | 16 + .../values-secret-v2-default-annotations.yaml | 13 + .../v2/values-secret-v2-default-labels.yaml | 11 + .../values-secret-v2-default-namespace.yaml | 8 + .../values-secret-v2-file-contents-b64.yaml | 9 + ...es-secret-v2-file-contents-double-b64.yaml | 9 + .../v2/values-secret-v2-file-contents.yaml | 8 + ...values-secret-v2-generic-onlygenerate.yaml | 33 + .../v2/values-secret-v2-ini-file-b64.yaml | 23 + .../v2/values-secret-v2-more-namespaces.yaml | 11 + ...values-secret-v2-nondefault-namespace.yaml | 8 + ...es-secret-v2-none-no-targetnamespaces.yaml | 33 + .../v2/values-secret-v2-override-labels.yaml | 13 + .../values-secret-v2-override-namespace.yaml | 10 + .../values-secret-v2-override-type-none.yaml | 14 + .../v2/values-secret-v2-override-type.yaml | 12 + .../values-secret-v2-secret-binary-b64.yaml | 10 + .../templates/imperative/unsealjob.yaml | 2 + clustergroup/values.yaml | 2 + ...lang-external-secrets-hub-secretstore.yaml | 40 - .../golang-external-secrets-hub-role.yaml | 22 + ...lang-external-secrets-hub-secretstore.yaml | 34 + ...lang-external-secrets-hub-secretstore.yaml | 44 + golang-external-secrets/values.yaml | 24 +- scripts/determine-main-clustergroup.sh | 16 + scripts/determine-pattern-name.sh | 15 + scripts/determine-secretstore-backend.sh | 15 + scripts/display-secrets-info.sh | 30 + scripts/load-k8s-secrets.sh | 19 + scripts/manage-secret-app.sh | 49 + scripts/manage-secret-namespace.sh | 28 + scripts/process-secrets.sh | 20 + scripts/set-secret-backend.sh | 5 + ...roup-industrial-edge-factory.expected.yaml | 2 + ...tergroup-industrial-edge-hub.expected.yaml | 2 + ...rgroup-medical-diagnosis-hub.expected.yaml | 2 + tests/clustergroup-naked.expected.yaml | 2 + tests/clustergroup-normal.expected.yaml | 2 + ...rets-industrial-edge-factory.expected.yaml | 2 +- ...-secrets-industrial-edge-hub.expected.yaml | 2 +- ...ecrets-medical-diagnosis-hub.expected.yaml | 2 +- ...olang-external-secrets-naked.expected.yaml | 2 +- ...lang-external-secrets-normal.expected.yaml | 2 +- values-global.yaml | 3 + 78 files changed, 3439 insertions(+), 66 deletions(-) create mode 100644 ansible/playbooks/k8s_secrets/k8s_secrets.yml create mode 100644 ansible/playbooks/process_secrets/display_secrets_info.yml create mode 100644 ansible/playbooks/process_secrets/process_secrets.yml create mode 100644 ansible/plugins/module_utils/parse_secrets_v2.py create mode 100644 ansible/plugins/modules/parse_secrets_info.py create mode 100644 ansible/plugins/modules/vault_load_parsed_secrets.py create mode 100644 ansible/roles/cluster_pre_check/defaults/main.yml rename ansible/roles/{vault_utils/tasks/pre_check.yaml => cluster_pre_check/tasks/main.yml} (100%) create mode 100644 ansible/roles/find_vp_secrets/tasks/main.yml create mode 100644 ansible/roles/k8s_secret_utils/defaults/main.yml create mode 100644 ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml create mode 100644 ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml create mode 100644 ansible/roles/k8s_secret_utils/tasks/main.yml create mode 100644 ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml create mode 100644 ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml create mode 100644 ansible/tests/unit/test_parse_secrets.py create mode 100644 ansible/tests/unit/test_util_datastructures.py create mode 100644 ansible/tests/unit/test_vault_load_parsed_secrets.py create mode 100644 ansible/tests/unit/v2/test-file-contents create mode 100644 ansible/tests/unit/v2/test-file-contents.b64 create mode 100644 ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-default-labels.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-file-contents.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-override-labels.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-override-type.yaml create mode 100644 ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml delete mode 100644 golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml create mode 100644 golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml create mode 100644 golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml create mode 100644 golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml create mode 100755 scripts/determine-main-clustergroup.sh create mode 100755 scripts/determine-pattern-name.sh create mode 100755 scripts/determine-secretstore-backend.sh create mode 100755 scripts/display-secrets-info.sh create mode 100755 scripts/load-k8s-secrets.sh create mode 100755 scripts/manage-secret-app.sh create mode 100755 scripts/manage-secret-namespace.sh create mode 100755 scripts/process-secrets.sh create mode 100755 scripts/set-secret-backend.sh diff --git a/.ansible-lint b/.ansible-lint index 353222e..aaffc6b 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -14,4 +14,7 @@ skip_list: exclude_paths: - ./ansible/playbooks/vault/vault.yaml - ./ansible/playbooks/iib-ci/iib-ci.yaml + - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml + - ./ansible/playbooks/process_secrets/process_secrets.yml + - ./ansible/playbooks/process_secrets/display_secrets_info.yml - ./ansible/roles/vault_utils/tests/test.yml diff --git a/.gitignore b/.gitignore index 9e5051a..454efc9 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ __pycache__/ *.swo values-secret.yaml .*.expected.yaml +.vscode pattern-vault.init pattern-vault.init.bak super-linter.log diff --git a/Makefile b/Makefile index f7a2d5a..0d5d0a3 100644 --- a/Makefile +++ b/Makefile @@ -77,9 +77,37 @@ uninstall: ## runs helm uninstall @oc delete csv -n openshift-operators $(CSV) .PHONY: load-secrets -load-secrets: ## loads the secrets into the vault +load-secrets: ## loads the secrets into the backend determined by values-global setting + common/scripts/process-secrets.sh $(NAME) + +.PHONY: legacy-load-secrets +legacy-load-secrets: ## loads the secrets into vault (only) common/scripts/vault-utils.sh push_secrets $(NAME) +.PHONY: secrets-backend-vault +secrets-backend-vault: ## Edits values files to use default Vault+ESO secrets config + common/scripts/set-secret-backend.sh vault + common/scripts/manage-secret-app.sh vault present + common/scripts/manage-secret-app.sh golang-external-secrets present + common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent + @git diff --exit-code || echo "Secrets backend set to vault, please review changes, commit, and push to activate in the pattern" + +.PHONY: secrets-backend-kubernetes +secrets-backend-kubernetes: ## Edits values file to use Kubernetes+ESO secrets config + common/scripts/set-secret-backend.sh kubernetes + common/scripts/manage-secret-namespace.sh validated-patterns-secrets present + common/scripts/manage-secret-app.sh vault absent + common/scripts/manage-secret-app.sh golang-external-secrets present + @git diff --exit-code || echo "Secrets backend set to kubernetes, please review changes, commit, and push to activate in the pattern" + +.PHONY: secrets-backend-none +secrets-backend-none: ## Edits values files to remove secrets manager + ESO + common/scripts/set-secret-backend.sh none + common/scripts/manage-secret-app.sh vault absent + common/scripts/manage-secret-app.sh golang-external-secrets absent + common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent + @git diff --exit-code || echo "Secrets backend set to none, please review changes, commit, and push to activate in the pattern" + .PHONY: load-iib load-iib: ## CI target to install Index Image Bundles @set -e; if [ x$(INDEX_IMAGES) != x ]; then \ diff --git a/ansible/playbooks/k8s_secrets/k8s_secrets.yml b/ansible/playbooks/k8s_secrets/k8s_secrets.yml new file mode 100644 index 0000000..989a498 --- /dev/null +++ b/ansible/playbooks/k8s_secrets/k8s_secrets.yml @@ -0,0 +1,9 @@ +--- +- name: Secrets parsing and direct loading + hosts: localhost + connection: local + gather_facts: false + roles: + - find_vp_secrets + - cluster_pre_check + - k8s_secret_utils diff --git a/ansible/playbooks/process_secrets/display_secrets_info.yml b/ansible/playbooks/process_secrets/display_secrets_info.yml new file mode 100644 index 0000000..4d97235 --- /dev/null +++ b/ansible/playbooks/process_secrets/display_secrets_info.yml @@ -0,0 +1,29 @@ +--- +- name: Parse and display secrets + hosts: localhost + connection: local + gather_facts: false + vars: + secrets_backing_store: "vault" + tasks: + # Set the VALUES_SECRET environment variable to the file to parse + - name: Find and decrypt secrets if needed + ansible.builtin.include_role: + name: find_vp_secrets + + # find_vp_secrets will return a plaintext data structure called values_secrets_data + # This will allow us to determine schema version and which backend to use + - name: Determine how to load secrets + ansible.builtin.set_fact: + secrets_yaml: '{{ values_secrets_data | from_yaml }}' + + - name: Parse secrets data + no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + + - name: Display secrets data + ansible.builtin.debug: + var: secrets_results diff --git a/ansible/playbooks/process_secrets/process_secrets.yml b/ansible/playbooks/process_secrets/process_secrets.yml new file mode 100644 index 0000000..ecc1b56 --- /dev/null +++ b/ansible/playbooks/process_secrets/process_secrets.yml @@ -0,0 +1,50 @@ +--- +- name: Parse and load secrets + hosts: localhost + connection: local + gather_facts: false + vars: + secrets_role: 'vault_utils' + pattern_name: 'common' + pattern_dir: '.' + secrets_backing_store: 'vault' + tasks_from: 'push_parsed_secrets' + tasks: + - name: "Run secret-loading pre-requisites" + ansible.builtin.include_role: + name: '{{ item }}' + loop: + - cluster_pre_check + - find_vp_secrets + + # find_vp_secrets will return a plaintext data structure called values_secrets_data + # This will allow us to determine schema version and which backend to use + - name: Determine how to load secrets + ansible.builtin.set_fact: + secrets_yaml: '{{ values_secrets_data | from_yaml }}' + + - name: Parse secrets data + no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + + # Use the k8s secrets loader when explicitly requested + - name: Determine role to use to load secrets + ansible.builtin.set_fact: + secrets_role: 'k8s_secret_utils' + tasks_from: 'inject_k8s_secrets' + when: + - secrets_backing_store == "kubernetes" or secrets_backing_store == "none" + - secrets_yaml['version'] | default('2.0') >= '2.0' + + # secrets_role will have been changed from the default if needed + - name: Load secrets using designated role and tasks + ansible.builtin.include_role: + name: '{{ secrets_role }}' + tasks_from: '{{ tasks_from }}' + vars: + kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" + vault_policies: "{{ secrets_results['vault_policies'] }}" + parsed_secrets: "{{ secrets_results['parsed_secrets'] }}" diff --git a/ansible/playbooks/vault/vault.yaml b/ansible/playbooks/vault/vault.yaml index 64711e4..b0da940 100644 --- a/ansible/playbooks/vault/vault.yaml +++ b/ansible/playbooks/vault/vault.yaml @@ -4,4 +4,6 @@ connection: local gather_facts: false roles: + - find_vp_secrets + - cluster_pre_check - vault_utils diff --git a/ansible/plugins/module_utils/load_secrets_common.py b/ansible/plugins/module_utils/load_secrets_common.py index 1652a28..b4ebc81 100644 --- a/ansible/plugins/module_utils/load_secrets_common.py +++ b/ansible/plugins/module_utils/load_secrets_common.py @@ -102,3 +102,23 @@ def get_ini_value(inifile, inisection, inikey): config = configparser.ConfigParser() config.read(inifile) return config.get(inisection, inikey, fallback=None) + + +def stringify_dict(input_dict): + """ + Return a dict whose keys and values are all co-erced to strings, for creating labels and annotations in the + python Kubernetes module + + Parameters: + input_dict(dict): A dictionary of keys and values + + Returns: + + obj: The same dict in the same order but with the keys coerced to str + """ + output_dict = {} + + for key, value in input_dict.items(): + output_dict[str(key)] = str(value) + + return output_dict diff --git a/ansible/plugins/module_utils/parse_secrets_v2.py b/ansible/plugins/module_utils/parse_secrets_v2.py new file mode 100644 index 0000000..512f75e --- /dev/null +++ b/ansible/plugins/module_utils/parse_secrets_v2.py @@ -0,0 +1,527 @@ +# Copyright 2022, 2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Module that implements V2 of the values-secret.yaml spec +""" + +import base64 +import getpass +import os + +from ansible.module_utils.load_secrets_common import ( + find_dupes, + get_ini_value, + get_version, + stringify_dict, +) + +default_vp_vault_policies = { + "validatedPatternDefaultPolicy": ( + "length=20\n" + 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' + 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' + 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' + 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' + ) +} + +secret_store_namespace = "validated-patterns-secrets" + + +class ParseSecretsV2: + def __init__(self, module, syaml, secrets_backing_store): + self.module = module + self.syaml = syaml + self.secrets_backing_store = str(secrets_backing_store) + self.secret_store_namespace = None + self.parsed_secrets = {} + self.kubernetes_secret_objects = [] + self.vault_policies = {} + + def _get_backingstore(self): + """ + Backing store is now influenced by the caller more than the file. Setting + Return the backingStore: of the parsed yaml object. In most cases the file + key was not set anyway - since vault was the only supported option. Since + we are introducing new options now, this method of defining behavior is + deprecated, but if the file key is included it must match the option defined + by values-global in the pattern, or there is an error. The default remains + 'vault' if the key is unspecified. + + Returns: + ret(str): The value of the top-level 'backingStore:' key + """ + file_backing_store = str(self.syaml.get("backingStore", "unset")) + + if file_backing_store == "unset": + pass + else: + if file_backing_store != self.secrets_backing_store: + self.module.fail_json( + f"Secrets file specifies '{file_backing_store}' backend but pattern config " + f"specifies '{self.secrets_backing_store}'." + ) + + return self.secrets_backing_store + + def _get_vault_policies(self, enable_default_vp_policies=True): + # We start off with the hard-coded default VP policy and add the user-defined ones + if enable_default_vp_policies: + policies = default_vp_vault_policies.copy() + else: + policies = {} + + # This is useful for embedded newlines, which occur with YAML + # flow-type scalars (|, |- for example) + for name, policy in self.syaml.get("vaultPolicies", {}).items(): + policies[name] = self._sanitize_yaml_value(policy) + + return policies + + def _get_secrets(self): + return self.syaml.get("secrets", {}) + + def _get_field_on_missing_value(self, f): + # By default if 'onMissingValue' is missing we assume we need to + # error out whenever the value is missing + return f.get("onMissingValue", "error") + + def _get_field_value(self, f): + return f.get("value", None) + + def _get_field_path(self, f): + return f.get("path", None) + + def _get_field_ini_file(self, f): + return f.get("ini_file", None) + + def _get_field_annotations(self, f): + return f.get("annotations", {}) + + def _get_field_labels(self, f): + return f.get("labels", {}) + + def _get_field_kind(self, f): + # value: null will be interpreted with None, so let's just + # check for the existence of the field, as we use 'value: null' to say + # "we want a value/secret and not a file path" + found = [] + for i in ["value", "path", "ini_file"]: + if i in f: + found.append(i) + + if len(found) > 1: # you can only have one of value, path and ini_file + self.module.fail_json( + f"Both '{found[0]}' and '{found[1]}' cannot be used " + f"in field {f['name']}" + ) + + if len(found) == 0: + return "" + return found[0] + + def _get_field_prompt(self, f): + return f.get("prompt", None) + + def _get_field_base64(self, f): + return bool(f.get("base64", False)) + + def _get_field_override(self, f): + return bool(f.get("override", False)) + + def _get_secret_store_namespace(self): + return str(self.syaml.get("secretStoreNamespace", secret_store_namespace)) + + def _get_vault_prefixes(self, s): + return list(s.get("vaultPrefixes", ["hub"])) + + def _get_default_labels(self): + return self.syaml.get("defaultLabels", {}) + + def _get_default_annotations(self): + return self.syaml.get("defaultAnnotations", {}) + + def _append_kubernetes_secret(self, secret_obj): + self.kubernetes_secret_objects.append(secret_obj) + + def _sanitize_yaml_value(self, value): + # This is useful for embedded newlines, which occur with YAML + # flow-type scalars (|, |- for example) + if value is not None: + sanitized_value = bytes(value, "utf-8").decode("unicode_escape") + else: + sanitized_value = None + + return sanitized_value + + def _create_k8s_secret(self, sname, secret_type, namespace, labels, annotations): + return { + "type": secret_type, + "kind": "Secret", + "apiVersion": "v1", + "metadata": { + "name": sname, + "namespace": namespace, + "annotations": annotations, + "labels": labels, + }, + "stringData": {}, + } + + # This does what inject_secrets used to (mostly) + def parse(self): + self.sanitize_values() + self.vault_policies = self._get_vault_policies() + self.secret_store_namespace = self._get_secret_store_namespace() + backing_store = self._get_backingstore() + secrets = self._get_secrets() + + total_secrets = 0 # Counter for all the secrets uploaded + for s in secrets: + total_secrets += 1 + counter = 0 # This counter is to use kv put on first secret and kv patch on latter + sname = s.get("name") + fields = s.get("fields", []) + vault_prefixes = self._get_vault_prefixes(s) + secret_type = s.get("type", "Opaque") + vault_mount = s.get("vaultMount", "secret") + target_namespaces = s.get("targetNamespaces", []) + labels = stringify_dict(s.get("labels", self._get_default_labels())) + annotations = stringify_dict( + s.get("annotations", self._get_default_annotations()) + ) + + self.parsed_secrets[sname] = { + "name": sname, + "fields": {}, + "vault_mount": vault_mount, + "vault_policies": {}, + "vault_prefixes": vault_prefixes, + "override": [], + "generate": [], + "paths": {}, + "base64": [], + "ini_file": {}, + "type": secret_type, + "target_namespaces": target_namespaces, + "labels": labels, + "annotations": annotations, + } + + for i in fields: + self._inject_field(sname, i) + counter += 1 + + if backing_store == "kubernetes": + k8s_namespaces = [self._get_secret_store_namespace()] + else: + k8s_namespaces = target_namespaces + + for tns in k8s_namespaces: + k8s_secret = self._create_k8s_secret( + sname, secret_type, tns, labels, annotations + ) + k8s_secret["stringData"] = self.parsed_secrets[sname]["fields"] + self.kubernetes_secret_objects.append(k8s_secret) + + return total_secrets + + # This function could use some rewriting and it should call a specific validation function + # for each type (value, path, ini_file) + def _validate_field(self, f): + # These fields are mandatory + try: + _ = f["name"] + except KeyError: + return (False, f"Field {f} is missing name") + + on_missing_value = self._get_field_on_missing_value(f) + if on_missing_value not in ["error", "generate", "prompt"]: + return (False, f"onMissingValue: {on_missing_value} is invalid") + + value = self._get_field_value(f) + path = self._get_field_path(f) + ini_file = self._get_field_ini_file(f) + kind = self._get_field_kind(f) + if kind == "ini_file": + # if we are using ini_file then at least ini_key needs to be defined + # ini_section defaults to 'default' when omitted + ini_key = f.get("ini_key", None) + if ini_key is None: + return ( + False, + "ini_file requires at least ini_key to be defined", + ) + + # Test if base64 is a correct boolean (defaults to False) + _ = self._get_field_base64(f) + _ = self._get_field_override(f) + + vault_policy = f.get("vaultPolicy", None) + if vault_policy is not None and vault_policy not in self._get_vault_policies(): + return ( + False, + f"Secret has vaultPolicy set to {vault_policy} but no such policy exists", + ) + + if on_missing_value in ["error"]: + if ( + (value is None or len(value) < 1) + and (path is None or len(path) < 1) + and (ini_file is None or len(ini_file) < 1) + ): + return ( + False, + "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set", + ) + if path is not None and not os.path.isfile(os.path.expanduser(path)): + return (False, f"Field has non-existing path: {path}") + + if ini_file is not None and not os.path.isfile( + os.path.expanduser(ini_file) + ): + return (False, f"Field has non-existing ini_file: {ini_file}") + + if on_missing_value in ["prompt"]: + # When we prompt, the user needs to set one of the following: + # - value: null # prompt for a secret without a default value + # - value: 123 # prompt for a secret but use a default value + # - path: null # prompt for a file path without a default value + # - path: /tmp/ca.crt # prompt for a file path with a default value + if "value" not in f and "path" not in f: + return ( + False, + "Secret has onMissingValue set to 'prompt' but has no value nor path fields", + ) + + if "override" in f: + return ( + False, + "'override' attribute requires 'onMissingValue' to be set to 'generate'", + ) + + return (True, "") + + def _validate_secrets(self): + backing_store = self._get_backingstore() + secrets = self._get_secrets() + if len(secrets) == 0: + self.module.fail_json("No secrets found") + + names = [] + for s in secrets: + # These fields are mandatory + for i in ["name"]: + try: + _ = s[i] + except KeyError: + return (False, f"Secret {s['name']} is missing {i}") + names.append(s["name"]) + + vault_prefixes = s.get("vaultPrefixes", ["hub"]) + # This checks for the case when vaultPrefixes: is specified but empty + if vault_prefixes is None or len(vault_prefixes) == 0: + return (False, f"Secret {s['name']} has empty vaultPrefixes") + + namespaces = s.get("targetNamespaces", []) + if not isinstance(namespaces, list): + return (False, f"Secret {s['name']} targetNamespaces must be a list") + + if backing_store == "none" and namespaces == []: + return ( + False, + f"Secret {s['name']} targetNamespaces cannot be empty for secrets backend {backing_store}", + ) # noqa: E501 + + labels = s.get("labels", {}) + if not isinstance(labels, dict): + return (False, f"Secret {s['name']} labels must be a dictionary") + + annotations = s.get("annotations", {}) + if not isinstance(annotations, dict): + return (False, f"Secret {s['name']} annotations must be a dictionary") + + fields = s.get("fields", []) + if len(fields) == 0: + return (False, f"Secret {s['name']} does not have any fields") + + field_names = [] + for i in fields: + (ret, msg) = self._validate_field(i) + if not ret: + return (False, msg) + field_names.append(i["name"]) + field_dupes = find_dupes(field_names) + if len(field_dupes) > 0: + return (False, f"You cannot have duplicate field names: {field_dupes}") + + dupes = find_dupes(names) + if len(dupes) > 0: + return (False, f"You cannot have duplicate secret names: {dupes}") + return (True, "") + + def sanitize_values(self): + """ + Sanitizes the secrets YAML object version 2.0 + + Parameters: + + Returns: + Nothing: Updates self.syaml(obj) if needed + """ + v = get_version(self.syaml) + if v not in ["2.0"]: + self.module.fail_json(f"Version is not 2.0: {v}") + + backing_store = self._get_backingstore() + if backing_store not in [ + "kubernetes", + "vault", + "none", + ]: # we currently only support vault + self.module.fail_json( + f"Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: {backing_store}" + ) + + (ret, msg) = self._validate_secrets() + if not ret: + self.module.fail_json(msg) + + def _get_secret_value(self, name, field): + on_missing_value = self._get_field_on_missing_value(field) + # We cannot use match + case as RHEL8 has python 3.9 (it needs 3.10) + # We checked for errors in _validate_secrets() already + if on_missing_value == "error": + return self._sanitize_yaml_value(field.get("value")) + elif on_missing_value == "prompt": + prompt = self._get_field_prompt(field) + if prompt is None: + prompt = f"Type secret for {name}/{field['name']}: " + value = self._get_field_value(field) + if value is not None: + prompt += f" [{value}]" + prompt += ": " + return getpass.getpass(prompt) + return None + + def _get_file_path(self, name, field): + on_missing_value = self._get_field_on_missing_value(field) + if on_missing_value == "error": + return os.path.expanduser(field.get("path")) + elif on_missing_value == "prompt": + prompt = self._get_field_prompt(field) + path = self._get_field_path(field) + if path is None: + path = "" + + if prompt is None: + text = f"Type path for file {name}/{field['name']} [{path}]: " + else: + text = f"{prompt} [{path}]: " + + newpath = getpass.getpass(text) + if newpath == "": # Set the default if no string was entered + newpath = path + + if os.path.isfile(os.path.expanduser(newpath)): + return newpath + self.module.fail_json(f"File {newpath} not found, exiting") + + self.module.fail_json("File with wrong onMissingValue") + + def _inject_field(self, secret_name, f): + on_missing_value = self._get_field_on_missing_value(f) + override = self._get_field_override(f) + kind = self._get_field_kind(f) + b64 = self._get_field_base64(f) + + if kind in ["value", ""]: + if on_missing_value == "generate": + self.parsed_secrets[secret_name]["generate"].append(f["name"]) + if self._get_backingstore() != "vault": + self.module.fail_json( + "You cannot have onMissingValue set to 'generate' unless using vault backingstore " + f"for secret {secret_name} field {f['name']}" + ) + else: + if kind in ["path", "ini_file"]: + self.module.fail_json( + "You cannot have onMissingValue set to 'generate' with a path or ini_file" + f" for secret {secret_name} field {f['name']}" + ) + + vault_policy = f.get("vaultPolicy", "validatedPatternDefaultPolicy") + + if override: + self.parsed_secrets[secret_name]["override"].append(f["name"]) + + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + + self.parsed_secrets[secret_name]["fields"][f["name"]] = None + self.parsed_secrets[secret_name]["vault_policies"][ + f["name"] + ] = vault_policy + + return + + # If we're not generating the secret inside the vault directly we either read it from the file ("error") + # or we are prompting the user for it + secret = self._get_secret_value(secret_name, f) + if b64: + secret = base64.b64encode(secret.encode()).decode("utf-8") + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + + elif kind == "path": # path. we upload files + path = self._get_file_path(secret_name, f) + self.parsed_secrets[secret_name]["paths"][f["name"]] = path + + binfile = False + + # Default to UTF-8 + try: + secret = open(path, encoding="utf-8").read() + except UnicodeDecodeError: + secret = open(path, "rb").read() + binfile = True + + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + if binfile: + secret = base64.b64encode(bytes(secret)).decode("utf-8") + else: + secret = base64.b64encode(secret.encode()).decode("utf-8") + + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + elif kind == "ini_file": # ini_file. we parse an ini_file + ini_file = os.path.expanduser(f.get("ini_file")) + ini_section = f.get("ini_section", "default") + ini_key = f.get("ini_key") + secret = get_ini_value(ini_file, ini_section, ini_key) + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + secret = base64.b64encode(secret.encode()).decode("utf-8") + + self.parsed_secrets[secret_name]["ini_file"][f["name"]] = { + "ini_file": ini_file, + "ini_section": ini_section, + "ini_key": ini_key, + } + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + + return diff --git a/ansible/plugins/modules/parse_secrets_info.py b/ansible/plugins/modules/parse_secrets_info.py new file mode 100644 index 0000000..b962271 --- /dev/null +++ b/ansible/plugins/modules/parse_secrets_info.py @@ -0,0 +1,149 @@ +# Copyright 2022,2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Ansible plugin module that loads secrets from a yaml file and pushes them +inside the HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is +expected to be in the following format: +--- +# version is optional. When not specified it is assumed it is 1.0 +version: 1.0 + +# These secrets will be pushed in the vault at secret/hub/test The vault will +# have secret/hub/test with secret1 and secret2 as keys with their associated +# values (secrets) +secrets: + test: + secret1: foo + secret2: bar + +# This will create the vault key secret/hub/testfoo which will have two +# properties 'b64content' and 'content' which will be the base64-encoded +# content and the normal content respectively +files: + testfoo: ~/ca.crt + +# These secrets will be pushed in the vault at secret/region1/test The vault will +# have secret/region1/test with secret1 and secret2 as keys with their associated +# values (secrets) +secrets.region1: + test: + secret1: foo1 + secret2: bar1 + +# This will create the vault key secret/region2/testbar which will have two +# properties 'b64content' and 'content' which will be the base64-encoded +# content and the normal content respectively +files.region2: + testbar: ~/ca.crt +""" + +import yaml +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.parse_secrets_v2 import ParseSecretsV2 + +ANSIBLE_METADATA = { + "metadata_version": "1.2", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: parse_secrets_info +short_description: Parses a Validated Patterns Secrets file for later loading +version_added: "2.50" +author: "Martin Jackson" +description: + - Takes a values-secret.yaml file, parses and returns values for secrets loading. The goal here is to do all the + work of reading and interpreting the file and resolving the content pointers (that is, creating content where it + is given) such that that content is then available for secrets vaults to load. It does not attempt to load the + content or interpret the content beyond the conventions of the file format. (So, it knows how to retrieve + ini-keys, about paths, and about base64 but leaves interaction with backends to backend-specific code. +options: + values_secrets_plaintext: + description: + - The unencrypted content of the values-secrets file + required: true + type: str + secrets_backing_store: + description: + - The secrets backing store that will be used for parsed secrets (i.e. vault, kubernetes, none) + required: false + default: vault + type: str +""" + +RETURN = """ +""" + +EXAMPLES = """ +- name: Parse secrets file into objects - backingstore defaults to vault + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + register: secrets_info + +- name: Parse secrets file into data structures + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + secrets_backing_store: 'kubernetes' + register: secrets_info + +- name: Parse secrets file into data structures + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + secrets_backing_store: 'none' + register: secrets_info +""" + + +def run(module): + """Main ansible module entry point""" + results = dict(changed=False) + + args = module.params + values_secrets_plaintext = args.get("values_secrets_plaintext", "") + secrets_backing_store = args.get("secrets_backing_store", "vault") + + syaml = yaml.safe_load(values_secrets_plaintext) + + if syaml is None: + syaml = {} + + parsed_secret_obj = ParseSecretsV2(module, syaml, secrets_backing_store) + parsed_secret_obj.parse() + + results["failed"] = False + results["changed"] = False + + results["vault_policies"] = parsed_secret_obj.vault_policies + results["parsed_secrets"] = parsed_secret_obj.parsed_secrets + results["kubernetes_secret_objects"] = parsed_secret_obj.kubernetes_secret_objects + results["secret_store_namespace"] = parsed_secret_obj.secret_store_namespace + + module.exit_json(**results) + + +def main(): + """Main entry point where the AnsibleModule class is instantiated""" + module = AnsibleModule( + argument_spec=yaml.safe_load(DOCUMENTATION)["options"], + supports_check_mode=True, + ) + run(module) + + +if __name__ == "__main__": + main() diff --git a/ansible/plugins/modules/vault_load_parsed_secrets.py b/ansible/plugins/modules/vault_load_parsed_secrets.py new file mode 100644 index 0000000..cfcf973 --- /dev/null +++ b/ansible/plugins/modules/vault_load_parsed_secrets.py @@ -0,0 +1,302 @@ +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Ansible plugin module that loads secrets and policies once parsed and pushes them +into a HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is +expected to be in the following format: +--- +# version is optional. When not specified it is assumed it is 2.0 +version: 2.0 + +""" + +import os +import time + +import yaml +from ansible.module_utils.basic import AnsibleModule + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: vault_load_parsed_secrets +short_description: Loads secrets into the HashiCorp Vault +version_added: "2.50" +author: "Martin Jackson" +description: + - Takes parsed secrets objects and vault policies (as delivered by parse_secrets_info) and runs the commands to + load them into a vault instance. The relevent metadata will exist in the parsed secrets object. Returns count + of secrets injected. +options: + parsed_secrets: + description: + - A structure containing the secrets, fields, and their metadata + required: true + type: dict + vault_policies: + description: + - Vault policies to inject into the instance. + required: true + type: dict + namespace: + description: + - Namespace where the vault is running + required: false + type: str + default: vault + pod: + description: + - Name of the vault pod to use to inject secrets + required: false + type: str + default: vault-0 +""" + +RETURN = """ +""" + +EXAMPLES = """ +- name: Loads secrets file into the vault of a cluster + vault_load_parsed_secrets: + parsed_secrets: "{{ parsed_secrets_structure_from_parse_secrets_info }}" + vault_policies: "{{ parsed_vault_policies_structure_from_parse_secrets_info }}" +""" + + +class VaultSecretLoader: + def __init__( + self, + module, + parsed_secrets, + vault_policies, + namespace, + pod, + ): + self.module = module + self.parsed_secrets = parsed_secrets + self.vault_policies = vault_policies + self.namespace = namespace + self.pod = pod + + def _run_command(self, command, attempts=1, sleep=3, checkrc=True): + """ + Runs a command on the host ansible is running on. A failing command + will raise an exception in this function directly (due to check=True) + + Parameters: + command(str): The command to be run. + attempts(int): Number of times to retry in case of Error (defaults to 1) + sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s) + + Returns: + ret(subprocess.CompletedProcess): The return value from run() + """ + for attempt in range(attempts): + ret = self.module.run_command( + command, + check_rc=checkrc, + use_unsafe_shell=True, + environ_update=os.environ.copy(), + ) + if ret[0] == 0: + return ret + if attempt >= attempts - 1: + return ret + time.sleep(sleep) + + def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute): + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"' + ) + # we ignore stdout and stderr + (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False) + if ret == 0: + return True + + return False + + def load_vault(self): + injected_secret_count = 0 + + self.inject_vault_policies() + + for secret_name, secret in self.parsed_secrets.items(): + self.inject_secret(secret_name, secret) + injected_secret_count += 1 + + return injected_secret_count + + def inject_field( + self, + secret_name, + soverride, + sbase64, + sgenerate, + spaths, + svault_policies, + fieldname, + fieldvalue, + mount, + vault_prefixes, + first=False, + ): + # Special cases: + # generate w|wo override + # path (w|wo b64) + # + # inifile secrets will be resolved by parser + # values (including base64'd ones) will be resolved by parser + # And we just ignore k8s or other fields + + override = True if fieldname in soverride else False + b64 = True if fieldname in sbase64 else False + generate = True if fieldname in sgenerate else False + path = spaths.get(fieldname, False) + prefixes = vault_prefixes + verb = "put" if first else "patch" + policy = svault_policies.get(fieldname, False) + + # "generate" secrets are created with policies and may be overridden or not + if generate: + gen_cmd = ( + f"vault read -field=password sys/policies/password/{policy}/generate" + ) + if b64: + gen_cmd += " | base64 --wrap=0" + for prefix in prefixes: + # if the override field is False and the secret attribute exists at the prefix then we just + # skip, as we do not want to overwrite the existing secret + if not override and self._vault_secret_attr_exists( + mount, prefix, secret_name, fieldname + ): + continue + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f'"{gen_cmd} | vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=-"' + ) + self._run_command(cmd, attempts=3) + return + + if path: + for prefix in prefixes: + if b64: + b64_cmd = "| base64 --wrap=0" + else: + b64_cmd = "" + cmd = ( + f"cat '{path}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"'cat - {b64_cmd}> /tmp/vcontent'; " + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c '" + f"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=@/tmp/vcontent; " + f"rm /tmp/vcontent'" + ) + self._run_command(cmd, attempts=3) + return + + for prefix in prefixes: + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}='{fieldvalue}'\"" + ) + self._run_command(cmd, attempts=3) + return + + def inject_secret(self, secret_name, secret): + mount = secret.get("vault_mount", "secret") + vault_prefixes = secret.get("vault_prefixes", ["hub"]) + + counter = 0 + # In this structure, each field will have one value + for fname, fvalue in secret.get("fields").items(): + self.inject_field( + secret_name=secret_name, + soverride=secret["override"], + sbase64=secret["base64"], + sgenerate=secret["generate"], + spaths=secret["paths"], + svault_policies=secret["vault_policies"], + fieldname=fname, + fieldvalue=fvalue, + mount=mount, + vault_prefixes=vault_prefixes, + first=counter == 0, + ) + counter += 1 + return + + def inject_vault_policies(self): + for name, policy in self.vault_policies.items(): + cmd = ( + f"echo '{policy}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"'cat - > /tmp/{name}.hcl';" + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'vault write sys/policies/password/{name} " + f" policy=@/tmp/{name}.hcl'" + ) + self._run_command(cmd, attempts=3) + + +def run(module): + """Main ansible module entry point""" + results = dict(changed=False) + + args = module.params + + vault_policies = args.get("vault_policies", {}) + parsed_secrets = args.get("parsed_secrets", {}) + namespace = args.get("namespace", "vault") + pod = args.get("pod", "vault-0") + + if vault_policies == {}: + results["failed"] = True + module.fail_json("Must pass vault_policies") + + if parsed_secrets == {}: + results["failed"] = True + module.fail_json("Must pass parsed_secrets") + + loader = VaultSecretLoader( + module, + parsed_secrets, + vault_policies, + namespace, + pod, + ) + + nr_secrets = loader.load_vault() + + results["failed"] = False + results["changed"] = True + results["msg"] = f"{nr_secrets} secrets injected" + module.exit_json(**results) + + +def main(): + """Main entry point where the AnsibleModule class is instantiated""" + module = AnsibleModule( + argument_spec=yaml.safe_load(DOCUMENTATION)["options"], + supports_check_mode=False, + ) + run(module) + + +if __name__ == "__main__": + main() diff --git a/ansible/roles/cluster_pre_check/defaults/main.yml b/ansible/roles/cluster_pre_check/defaults/main.yml new file mode 100644 index 0000000..fd6cdd5 --- /dev/null +++ b/ansible/roles/cluster_pre_check/defaults/main.yml @@ -0,0 +1,3 @@ +--- +kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" +kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config" diff --git a/ansible/roles/vault_utils/tasks/pre_check.yaml b/ansible/roles/cluster_pre_check/tasks/main.yml similarity index 100% rename from ansible/roles/vault_utils/tasks/pre_check.yaml rename to ansible/roles/cluster_pre_check/tasks/main.yml diff --git a/ansible/roles/find_vp_secrets/tasks/main.yml b/ansible/roles/find_vp_secrets/tasks/main.yml new file mode 100644 index 0000000..ce847a0 --- /dev/null +++ b/ansible/roles/find_vp_secrets/tasks/main.yml @@ -0,0 +1,87 @@ +--- +# Once V1 support is dropped we can remove the whole secret_template support +- name: Set secret_template fact + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.set_fact: + secret_template: "{{ pattern_dir }}/values-secret.yaml.template" + +- name: Is a VALUES_SECRET env variable set? + ansible.builtin.set_fact: + custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}" + +- name: Check if VALUES_SECRET file exists + ansible.builtin.stat: + path: "{{ custom_env_values_secret }}" + register: custom_file_values_secret + when: custom_env_values_secret | default('') | length > 0 + +- name: Set values-secret yaml file to {{ custom_file_values_secret.stat.path }} + ansible.builtin.set_fact: + found_file: "{{ custom_file_values_secret.stat.path }}" + when: + - custom_env_values_secret | default('') | length > 0 + - custom_file_values_secret.stat.exists + +# FIXME(bandini): Eventually around end of 2023(?) we should drop +# ~/values-secret-{{ pattern_name }}.yaml and ~/values-secret.yaml +- name: Find first existing values-secret yaml file + ansible.builtin.set_fact: + found_file: "{{ lookup('ansible.builtin.first_found', findme) }}" + vars: + findme: + - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml" + - "~/.config/validated-patterns/values-secret-{{ pattern_name }}.yaml" + - "~/values-secret-{{ pattern_name }}.yaml" + - "~/values-secret.yaml" + - "{{ pattern_dir }}/values-secret.yaml.template" + when: custom_env_values_secret | default('') | length == 0 + +- name: Is found values secret file encrypted + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.shell: | + set -o pipefail + head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT + changed_when: false + register: encrypted + failed_when: (encrypted.rc not in [0, 1]) + +# When HOME is set we replace it with '~' in this debug message +# because when run from inside the container the HOME is /pattern-home +# which is confusing for users +- name: Is found values secret file encrypted + ansible.builtin.debug: + msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets" + +- name: Set encryption bool fact + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.set_fact: + is_encrypted: "{{ encrypted.rc == 0 | bool }}" + +- name: Get password for "{{ found_file }}" + ansible.builtin.pause: + prompt: "Input the password for {{ found_file }}" + echo: false + when: is_encrypted + register: vault_pass + +- name: Get decrypted content if {{ found_file }} was encrypted + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.shell: + ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" + register: values_secret_plaintext + when: is_encrypted + changed_when: false + +- name: Normalize secrets format (un-encrypted) + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + values_secrets_data: "{{ lookup('file', found_file) | from_yaml }}" + when: not is_encrypted + changed_when: false + +- name: Normalize secrets format (encrypted) + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + values_secrets_data: "{{ values_secret_plaintext.stdout | from_yaml }}" + when: is_encrypted + changed_when: false diff --git a/ansible/roles/k8s_secret_utils/defaults/main.yml b/ansible/roles/k8s_secret_utils/defaults/main.yml new file mode 100644 index 0000000..7ebda20 --- /dev/null +++ b/ansible/roles/k8s_secret_utils/defaults/main.yml @@ -0,0 +1,2 @@ +--- +secrets_ns: 'validated-patterns-secrets' diff --git a/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml b/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml new file mode 100644 index 0000000..283fb6a --- /dev/null +++ b/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml @@ -0,0 +1,15 @@ +--- +- name: Check for secrets namespace + no_log: false + kubernetes.core.k8s_info: + kind: Namespace + name: "{{ item['metadata']['namespace'] }}" + register: secrets_ns_rc + until: secrets_ns_rc.resources | length > 0 + retries: 20 + delay: 45 + +- name: Inject k8s secret + no_log: '{{ override_no_log | default(True) }}' + kubernetes.core.k8s: + definition: '{{ item }}' diff --git a/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml b/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml new file mode 100644 index 0000000..a229973 --- /dev/null +++ b/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml @@ -0,0 +1,5 @@ +--- +- name: Inject secrets + no_log: '{{ override_no_log | default(True) }}' + ansible.builtin.include_tasks: inject_k8s_secret.yml + loop: '{{ kubernetes_secret_objects }}' diff --git a/ansible/roles/k8s_secret_utils/tasks/main.yml b/ansible/roles/k8s_secret_utils/tasks/main.yml new file mode 100644 index 0000000..d72de7a --- /dev/null +++ b/ansible/roles/k8s_secret_utils/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Parse and extract k8s secrets from values-secret file + ansible.builtin.include_tasks: parse_secrets.yml + +- name: Inject k8s secrets + ansible.builtin.include_tasks: inject_k8s_secrets.yml diff --git a/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml b/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml new file mode 100644 index 0000000..b1755cc --- /dev/null +++ b/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml @@ -0,0 +1,12 @@ +--- +- name: Parse secrets data + # no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + +- name: Return kubernetes objects + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" diff --git a/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml b/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml new file mode 100644 index 0000000..cbca15e --- /dev/null +++ b/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml @@ -0,0 +1,43 @@ +--- +- name: "Do pre-checks for Vault" + ansible.builtin.include_role: + name: vault_utils + tasks_from: vault_status + +# Unfortunately we cannot loop vault_status and just check if the vault is unsealed +# https://github.com/ansible/proposals/issues/136 +# So here we keep running the 'vault status' command until sealed is set to false +- name: If the vault is still sealed we need to retry + kubernetes.core.k8s_exec: + namespace: "{{ vault_ns }}" + pod: "{{ vault_pod }}" + command: vault status -format=json + register: vault_status_json + until: "'stdout' in vault_status_json and (not (vault_status_json.stdout | from_json)['sealed'] | bool)" + retries: 20 + delay: 45 + failed_when: "'stdout_lines' not in vault_status_json" + +# This step is not really needed when running make vault-init + load-secrets as +# everything is sequential +# It is needed when the vault is unsealed/configured inside the cluster and load-secrets +# gets run *while* the cronjob configures the vault. I.e. it might be half configured and return +# errors +- name: Make sure that the vault auth policy exists + kubernetes.core.k8s_exec: + namespace: "{{ vault_ns }}" + pod: "{{ vault_pod }}" + command: + sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'" + register: vault_role_cmd + until: + - vault_role_cmd.rc is defined + - vault_role_cmd.rc == 0 + retries: 20 + delay: 45 + changed_when: false + +- name: Load parsed secrets into cluster vault + vault_load_parsed_secrets: + vault_policies: "{{ vault_policies }}" + parsed_secrets: "{{ parsed_secrets }}" diff --git a/ansible/roles/vault_utils/tasks/push_secrets.yaml b/ansible/roles/vault_utils/tasks/push_secrets.yaml index 31d2878..7954dc4 100644 --- a/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ b/ansible/roles/vault_utils/tasks/push_secrets.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/ansible/roles/vault_utils/tasks/vault_init.yaml b/ansible/roles/vault_utils/tasks/vault_init.yaml index 16ce73d..38e1e91 100644 --- a/ansible/roles/vault_utils/tasks/vault_init.yaml +++ b/ansible/roles/vault_utils/tasks/vault_init.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml b/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml index 7e0741a..35327d5 100644 --- a/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml +++ b/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml @@ -1,7 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - - name: Is secrets backend already enabled kubernetes.core.k8s_exec: namespace: "{{ vault_ns }}" diff --git a/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml index d4310e7..e930252 100644 --- a/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml +++ b/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml @@ -1,7 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - - name: Find managed clusters kubernetes.core.k8s_info: kind: ManagedCluster diff --git a/ansible/roles/vault_utils/tasks/vault_unseal.yaml b/ansible/roles/vault_utils/tasks/vault_unseal.yaml index 862f19d..43232ac 100644 --- a/ansible/roles/vault_utils/tasks/vault_unseal.yaml +++ b/ansible/roles/vault_utils/tasks/vault_unseal.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/ansible/roles/vault_utils/values-secrets.v2.schema.json b/ansible/roles/vault_utils/values-secrets.v2.schema.json index c9723d6..c8b5c02 100644 --- a/ansible/roles/vault_utils/values-secrets.v2.schema.json +++ b/ansible/roles/vault_utils/values-secrets.v2.schema.json @@ -10,7 +10,7 @@ "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V2", "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)", "type": "object", - "examples": [ + "examples": [ { "version": "2.0", "backingStore": "vault", @@ -105,6 +105,19 @@ "$ref": "#/definitions/VaultPolicies", "description": "A dictionary of {name}:{policy} of custom vault password policies" }, + "secretStoreNamespace": { + "type": "string", + "description": "Namespace to store secrets in for kubernetes loader", + "default": "validated-patterns-secrets" + }, + "defaultLabels": { + "type": "object", + "description": "Default labels to add to secret objects for kubernetes loader" + }, + "defaultAnnotations": { + "type": "object", + "description": "Default labels to add to secret objects for kubernetes loader" + }, "secrets": { "$ref": "#/definitions/Secrets", "description": "The list of actual secrets to be uploaded in the vault" @@ -166,6 +179,23 @@ }, "default": [ "hub" ] }, + "targetNamespaces": { + "type": "array", + "description": "The namespace(s) that the secret will be injected into, ignored by configs using ESO", + "items": { + "type": "string", + "minItems": 1, + "uniqueItems": true + } + }, + "annotations": { + "type": "object", + "description": "Annotations to add to the kubernetes secret object, which override defaults" + }, + "labels": { + "type": "object", + "description": "Labels to add to the kubernetes secret object, which override defaults" + }, "fields": { "type": "array", "description": "This is the list of actual secret material that will be placed in a vault key's attributes", diff --git a/ansible/tests/unit/test_parse_secrets.py b/ansible/tests/unit/test_parse_secrets.py new file mode 100644 index 0000000..0cfef1b --- /dev/null +++ b/ansible/tests/unit/test_parse_secrets.py @@ -0,0 +1,981 @@ +# Copyright 2022, 2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Simple module to test parse_secret_info +""" + +import base64 +import configparser +import json +import os +import sys +import unittest +from unittest import mock +from unittest.mock import patch + +from ansible.module_utils import basic +from ansible.module_utils.common.text.converters import to_bytes +from test_util_datastructures import ( + DEFAULT_KUBERNETES_METADATA, + DEFAULT_KUBERNETES_SECRET_OBJECT, + DEFAULT_PARSED_SECRET_VALUE, + DEFAULT_VAULT_POLICIES, +) + +# from unittest.mock import call, patch + +# TODO(bandini): I could not come up with something better to force the imports to be existing +# when we "import parse_secrets_info" +sys.path.insert(1, "./ansible/plugins/module_utils") +sys.path.insert(1, "./ansible/plugins/modules") + +import load_secrets_common # noqa: E402 + +sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common + +import parse_secrets_v2 # noqa: E402 + +sys.modules["ansible.module_utils.parse_secrets_v2"] = parse_secrets_v2 + +import parse_secrets_info # noqa: E402 + +sys.modules["ansible.modules.parse_secrets_info"] = parse_secrets_info + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) + basic._ANSIBLE_ARGS = to_bytes(args) + + +class BytesEncoder(json.JSONEncoder): + def default(self, o): + if isinstance(o, bytes): + return base64.b64encode(o).decode("ascii") + else: + return super().default(o) + + +def json_str(a): + return json.dumps(a, sort_keys=True, cls=BytesEncoder) + + +def ds_eq(a, b): + """ + This function takes two arbitrary data structures, sorts their keys, stringifies them into JSON + and compares them. The idea here is to test data structure difference without having to write + an involved recursive data structure parser. If the function returns true, the two data + structures are equal. + """ + print("a=" + json_str(a)) + print("b=" + json_str(b)) + return json_str(a) == json_str(b) + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + + pass + + +def exit_json(*args, **kwargs): + """function to patch over exit_json; package return data into an exception""" + if "changed" not in kwargs: + kwargs["changed"] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): + """function to patch over fail_json; package return data into an exception""" + kwargs["failed"] = True + kwargs["args"] = args + raise AnsibleFailJson(kwargs) + + +@mock.patch("getpass.getpass") +class TestMyModule(unittest.TestCase): + def create_inifile(self): + self.inifile = open("/tmp/awscredentials", "w") + config = configparser.ConfigParser() + config["default"] = { + "aws_access_key_id": "123123", + "aws_secret_access_key": "abcdefghi", + } + config["foobar"] = { + "aws_access_key_id": "345345", + "aws_secret_access_key": "rstuvwxyz", + } + with self.inifile as configfile: + config.write(configfile) + + def create_testbinfile(self): + with open(self.binfilename, "wb") as f: + f.write(bytes([8, 6, 7, 5, 3, 0, 9])) + f.close() + + def setUp(self): + self.binfilename = "/tmp/testbinfile.bin" + self.mock_module_helper = patch.multiple( + basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json + ) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") + self.testfile = open("/tmp/ca.crt", "w") + self.create_inifile() + self.create_testbinfile() + # For ~/expanduser tests + self.orig_home = os.environ["HOME"] + os.environ["HOME"] = self.testdir_v2 + + def tearDown(self): + os.environ["HOME"] = self.orig_home + self.testfile.close() + try: + os.remove("/tmp/ca.crt") + os.remove(self.binfilename) + # os.remove("/tmp/awscredentials") + except OSError: + pass + + def get_file_as_stdout(self, filename, openmode="r"): + with open(filename, mode=openmode, encoding="utf-8") as f: + return f.read() + + def test_module_fail_when_required_args_missing(self, getpass): + with self.assertRaises(AnsibleFailJson): + set_module_args({}) + parse_secrets_info.main() + + def test_module_parse_base(self, getpass): + getpass.return_value = "/tmp/ca.crt" + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"])) == 1 + and (len(ret["kubernetes_secret_objects"]) == 0) + ) + + def test_module_parse_base_parsed_secrets(self, getpass): + getpass.return_value = "/tmp/ca.crt" + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + vp = DEFAULT_VAULT_POLICIES | { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "advancedPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + } + + # Beware reading this structure aloud to your cat... + pspsps = { + "config-demo": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "config-demo", + "fields": { + "secret": None, + "secret2": "/tmp/ca.crt", + "ca_crt": "", + "ca_crt2": "", + }, + "base64": ["ca_crt2"], + "generate": ["secret"], + "override": ["secret"], + "vault_policies": { + "secret": "basicPolicy", + }, + "vault_prefixes": [ + "region-one", + "snowflake.blueprints.rhecoeng.com", + ], + "paths": { + "ca_crt": "/tmp/ca.crt", + "ca_crt2": "/tmp/ca.crt", + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (ds_eq(vp, ret["vault_policies"])) + and (ds_eq(pspsps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "123123", + "aws_secret_access_key": "abcdefghi", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": "/tmp/awscredentials", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": "/tmp/awscredentials", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsfoobar": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsfoobar", + "fields": { + "aws_access_key_id": "345345", + "aws_secret_access_key": "rstuvwxyz", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": "/tmp/awscredentials", + "ini_section": "foobar", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": "/tmp/awscredentials", + "ini_section": "foobar", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files_base64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "A123456789012345678A", + "aws_secret_access_key": "A12345678901234567890123456789012345678A", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsb64": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsb64", + "fields": { + "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", + "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", + }, + "base64": [ + "aws_access_key_id", + "aws_secret_access_key", + ], + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (len(ret["kubernetes_secret_objects"]) == 0) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files_base64_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "A123456789012345678A", + "aws_secret_access_key": "A12345678901234567890123456789012345678A", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsb64": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsb64", + "fields": { + "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", + "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", + }, + "base64": [ + "aws_access_key_id", + "aws_secret_access_key", + ], + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (len(ret["kubernetes_secret_objects"]) == 2) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_default_labels(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-default-labels.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = result.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "labels": {"testlabel": "4"}, + "namespace": "validated-patterns-secrets", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_labels(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-labels.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "labels": {"overridelabel": "42"}, + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_namespace(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-namespace.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "overridden-namespace", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_none_extra_namespaces(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-more-namespaces.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 2 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "default", + }, + "stringData": {"username": "user"}, + }, + ) + and ds_eq( + ret["kubernetes_secret_objects"][1], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "extra", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_type_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-type.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "type": "user-specified", + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_type_none(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-type-none.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "type": "user-specified", + "metadata": DEFAULT_KUBERNETES_METADATA + | {"name": "test-secret", "namespace": "default"}, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_secret_file_contents(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-file-contents.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": {"username": "This space intentionally left blank\n"}, + }, + ) + ) + + def test_module_secret_file_contents_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-file-contents-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": { + "username": "VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK" + }, + }, + ) + ) + + def test_module_secret_file_contents_double_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join( + self.testdir_v2, "values-secret-v2-file-contents-double-b64.yaml" + ) + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": { + "username": "VkdocGN5QnpjR0ZqWlNCcGJuUmxiblJwYjI1aGJHeDVJR3hsWm5RZ1lteGhibXNL" + }, + }, + ) + ) + + def test_module_secret_file_contents_binary_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-secret-binary-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + + # The binary bytes are [ 8, 6, 7, 5, 3, 0, 9 ] (IYKYK) + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "secret", + }, + "stringData": {"secret": "CAYHBQMACQ=="}, + }, + ) + ) + + def test_ensure_success_retrieving_block_yaml_policy(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-defaultvp-policy.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["vault_policies"], + { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + }, + ) + ) + + def test_ensure_success_retrieving_block_yaml_value(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["parsed_secrets"], + { + "config-demo": DEFAULT_PARSED_SECRET_VALUE + | { + "fields": { + "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 + "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 + }, + "name": "config-demo", + } + }, + ) + ) + + def test_ensure_kubernetes_object_block_yaml_value(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "config-demo", + }, + "stringData": { + "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 + "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 + }, + }, + ) + ) + + def test_ensure_kubernetes_backend_allowed(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertFalse(ret["failed"]) + + def test_ensure_none_backend_allowed(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-none-backend.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertFalse(ret["failed"]) + + def test_ensure_error_conflicting_backends(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "Secrets file specifies 'kubernetes' backend but pattern config specifies 'vault'." + ) + + def test_ensure_error_unknown_backends(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-unknown-backend.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "unknown", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: unknown" + ) + + def test_ensure_error_secrets_same_name(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-same-secret-names.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] == "You cannot have duplicate secret names: ['config-demo']" + ) + + def test_ensure_error_fields_same_name(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-same-field-names.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ret["args"][1] == "You cannot have duplicate field names: ['secret']" + + def test_ensure_generate_errors_on_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 + ) + + def test_ensure_generate_errors_on_none_generate(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/ansible/tests/unit/test_util_datastructures.py b/ansible/tests/unit/test_util_datastructures.py new file mode 100644 index 0000000..11d7cda --- /dev/null +++ b/ansible/tests/unit/test_util_datastructures.py @@ -0,0 +1,205 @@ +DEFAULT_PARSED_SECRET_VALUE = { + "name": "overwrite-me", + "fields": {}, + "base64": [], + "ini_file": {}, + "generate": [], + "override": [], + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + "type": "Opaque", + "target_namespaces": [], + "labels": {}, + "annotations": {}, + "paths": {}, +} + +DEFAULT_KUBERNETES_METADATA = { + "name": "overwrite-me", + "labels": {}, + "annotations": {}, + "namespace": "validated-patterns-secrets", +} +DEFAULT_KUBERNETES_SECRET_OBJECT = { + "kind": "Secret", + "type": "Opaque", + "apiVersion": "v1", + "metadata": DEFAULT_KUBERNETES_METADATA, + "stringData": {}, +} + +DEFAULT_VAULT_POLICIES = { + "validatedPatternDefaultPolicy": ( + "length=20\n" + 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' # noqa: E501 + 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' # noqa: E501 + 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' + 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' + ), +} + +GENERATE_POLICY_B64_TEST = { + "vault_policies": { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + }, + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": ["secret"], + "fields": {"secret": None}, + "generate": ["secret"], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": ["secret"], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {"secret": "basicPolicy"}, + "vault_prefixes": ["region-one", "snowflake.blueprints.rhecoeng.com"], + } + }, +} + +PARSED_SECRET_VALUE_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + } + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 + }, +} + +PARSED_SECRET_B64_VALUE_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": ["secret"], + "fields": {"secret": "dmFsdWUxMjMK"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + } + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 + }, +} + +PARSED_SECRET_FILE_INJECTION_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-one", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + "config-demo-file": { + "annotations": {}, + "base64": [], + "fields": {"test": ""}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo-file", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {"test": "/tmp/footest"}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-two", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 + }, +} + +PARSED_SECRET_FILE_B64_INJECTION_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-one", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + "config-demo-file": { + "annotations": {}, + "base64": ["test"], + "fields": {"test": ""}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo-file", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {"test": "/tmp/footest"}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-two", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 + }, +} diff --git a/ansible/tests/unit/test_vault_load_parsed_secrets.py b/ansible/tests/unit/test_vault_load_parsed_secrets.py new file mode 100644 index 0000000..ca37de9 --- /dev/null +++ b/ansible/tests/unit/test_vault_load_parsed_secrets.py @@ -0,0 +1,320 @@ +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Simple module to test vault_load_parsed_secrets +""" + +import json +import os +import sys +import unittest +from unittest.mock import call, patch + +import test_util_datastructures +from ansible.module_utils import basic +from ansible.module_utils.common.text.converters import to_bytes + +# TODO(bandini): I could not come up with something better to force the imports to be existing +# when we 'import vault_load_secrets' +sys.path.insert(1, "./ansible/plugins/module_utils") +sys.path.insert(1, "./ansible/plugins/modules") + +import vault_load_parsed_secrets # noqa: E402 + +sys.modules["ansible.modules.vault_load_parsed_secrets"] = vault_load_parsed_secrets + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) + basic._ANSIBLE_ARGS = to_bytes(args) + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + + pass + + +def exit_json(*args, **kwargs): + """function to patch over exit_json; package return data into an exception""" + if "changed" not in kwargs: + kwargs["changed"] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): + """function to patch over fail_json; package return data into an exception""" + kwargs["failed"] = True + kwargs["args"] = args + raise AnsibleFailJson(kwargs) + + +class TestMyModule(unittest.TestCase): + def setUp(self): + self.mock_module_helper = patch.multiple( + basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json + ) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") + + def tearDown(self): + return + + def test_module_fail_when_required_args_missing(self): + with self.assertRaises(AnsibleFailJson): + set_module_args({}) + vault_load_parsed_secrets.main() + + # For these tests, we need the data structures that parse_secrets_info outputs. + # Several have been saved in the test_util_datastructures module for this purpose + def test_ensure_value_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 2 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='value123'\"", + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_b64_value_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 2 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='dmFsdWUxMjMK'\"", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_file_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 5 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_file_b64_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 5 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_b64_generate_passwords_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.GENERATE_POLICY_B64_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.GENERATE_POLICY_B64_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 4 + + calls = [ + call( + 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 + attempts=3, + ), + call( + 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + +if __name__ == "__main__": + unittest.main() diff --git a/ansible/tests/unit/v2/test-file-contents b/ansible/tests/unit/v2/test-file-contents new file mode 100644 index 0000000..49c9a88 --- /dev/null +++ b/ansible/tests/unit/v2/test-file-contents @@ -0,0 +1 @@ +This space intentionally left blank diff --git a/ansible/tests/unit/v2/test-file-contents.b64 b/ansible/tests/unit/v2/test-file-contents.b64 new file mode 100644 index 0000000..da896ba --- /dev/null +++ b/ansible/tests/unit/v2/test-file-contents.b64 @@ -0,0 +1 @@ +VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK \ No newline at end of file diff --git a/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml b/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml new file mode 100644 index 0000000..7194ebc --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml @@ -0,0 +1,9 @@ +version: "2.0" + +backingStore: kubernetes + +secrets: + - name: config-demo + fields: + - name: secret + value: secret diff --git a/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml b/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml new file mode 100644 index 0000000..4e1e3cd --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml @@ -0,0 +1,11 @@ +version: "2.0" + +backingStore: none + +secrets: + - name: config-demo + targetNamespaces: + - default + fields: + - name: secret + value: secret diff --git a/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml b/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml new file mode 100644 index 0000000..e1f4c6d --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml @@ -0,0 +1,9 @@ +version: "2.0" + +backingStore: unknown + +secrets: + - name: config-demo + fields: + - name: secret + value: secret diff --git a/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml b/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml new file mode 100644 index 0000000..84165f6 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml @@ -0,0 +1,16 @@ +version: "2.0" + +secrets: + - name: config-demo + fields: + - name: sshprivkey + onMissingValue: error + value: |- + ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com + - name: sshpubkey + onMissingValue: error + value: |- + -----BEGIN OPENSSH PRIVATE KEY----- + TtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw== + wlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q== + -----END OPENSSH PRIVATE KEY----- diff --git a/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml b/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml new file mode 100644 index 0000000..af3e2f9 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml @@ -0,0 +1,13 @@ +--- +version: "2.0" + +annotations: + test-annotation: 42 + +secrets: + - name: test-secret + fields: + - name: username + value: user + - name: password + value: testpass diff --git a/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml b/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml new file mode 100644 index 0000000..56af658 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml @@ -0,0 +1,11 @@ +--- +version: "2.0" + +defaultLabels: + testlabel: 4 + +secrets: + - name: test-secret + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml b/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml new file mode 100644 index 0000000..a0f4db6 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + test-secret: + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml b/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml new file mode 100644 index 0000000..47ed721 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml @@ -0,0 +1,9 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents + base64: true diff --git a/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml b/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml new file mode 100644 index 0000000..3a968ec --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml @@ -0,0 +1,9 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents.b64 + base64: true diff --git a/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml b/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml new file mode 100644 index 0000000..e2da90c --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents diff --git a/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml b/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml new file mode 100644 index 0000000..46992af --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml @@ -0,0 +1,33 @@ +version: "2.0" + +vaultPolicies: + basicPolicy: | + length=10 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + + advancedPolicy: | + length=20 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + rule "charset" { charset = "!@#%^&*" min-chars = 1 } + +secrets: + - name: config-demo + targetNamespaces: + - default + vaultMount: foo + vaultPrefixes: + - region-one + - snowflake.blueprints.rhecoeng.com + fields: + - name: secret + onMissingValue: generate + override: true + vaultPolicy: basicPolicy + - name: secret2 + onMissingValue: generate + override: true + vaultPolicy: advancedPolicy diff --git a/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml b/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml new file mode 100644 index 0000000..ff08d20 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml @@ -0,0 +1,23 @@ +version: "2.0" +secrets: + - name: aws + fields: + - name: aws_access_key_id + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_access_key_id + - name: aws_secret_access_key + ini_file: '~/aws-example.ini' + ini_key: aws_secret_access_key + - name: awsb64 + fields: + - name: aws_access_key_id + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_access_key_id + base64: true + - name: aws_secret_access_key + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_secret_access_key + base64: true diff --git a/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml b/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml new file mode 100644 index 0000000..be409af --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml @@ -0,0 +1,11 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + targetNamespaces: + - default + - extra + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml b/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml new file mode 100644 index 0000000..a0f4db6 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + test-secret: + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml b/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml new file mode 100644 index 0000000..2a5ef0b --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml @@ -0,0 +1,33 @@ +version: "2.0" + +backingStore: vault + +vaultPolicies: + basicPolicy: | + length=10 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + + advancedPolicy: | + length=20 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + rule "charset" { charset = "!@#%^&*" min-chars = 1 } + +secrets: + - name: config-demo + vaultMount: foo + vaultPrefixes: + - region-one + - snowflake.blueprints.rhecoeng.com + fields: + - name: secret + onMissingValue: generate + override: true + vaultPolicy: basicPolicy + - name: secret2 + onMissingValue: generate + override: true + vaultPolicy: advancedPolicy diff --git a/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml b/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml new file mode 100644 index 0000000..13a460b --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml @@ -0,0 +1,13 @@ +--- +version: "2.0" + +defaultLabels: + testlabel: 4 + +secrets: + - name: test-secret + labels: + overridelabel: 42 + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml b/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml new file mode 100644 index 0000000..ad53cf7 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml @@ -0,0 +1,10 @@ +--- +version: "2.0" + +secretStoreNamespace: 'overridden-namespace' + +secrets: + - name: test-secret + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml b/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml new file mode 100644 index 0000000..1d11067 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml @@ -0,0 +1,14 @@ +--- +version: "2.0" + +# This is the actual default +defaultNamespace: 'validated-patterns-secrets' + +secrets: + - name: test-secret + type: 'user-specified' + targetNamespaces: + - default + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-override-type.yaml b/ansible/tests/unit/v2/values-secret-v2-override-type.yaml new file mode 100644 index 0000000..1bf8e36 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-override-type.yaml @@ -0,0 +1,12 @@ +--- +version: "2.0" + +# This is the actual default +defaultNamespace: 'validated-patterns-secrets' + +secrets: + - name: test-secret + type: 'user-specified' + fields: + - name: username + value: user diff --git a/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml b/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml new file mode 100644 index 0000000..579c7d6 --- /dev/null +++ b/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml @@ -0,0 +1,10 @@ +version: "2.0" + +secrets: + - name: secret + fields: + - name: secret + # Should contain 8, 6, 7, 5, 3, 0, 9 in binary + path: '/tmp/testbinfile.bin' + onMissingValue: error + base64: true diff --git a/clustergroup/templates/imperative/unsealjob.yaml b/clustergroup/templates/imperative/unsealjob.yaml index d0dbc3c..4db14be 100644 --- a/clustergroup/templates/imperative/unsealjob.yaml +++ b/clustergroup/templates/imperative/unsealjob.yaml @@ -1,3 +1,4 @@ +{{- if eq .Values.global.secretStore.backend "vault" | default "vault" }} {{- if not (eq .Values.enabled "plumbing") }} {{- if $.Values.clusterGroup.isHubCluster }} --- @@ -56,3 +57,4 @@ spec: restartPolicy: Never {{- end }} {{- end }} +{{- end }} diff --git a/clustergroup/values.yaml b/clustergroup/values.yaml index bb3a6e2..c74db48 100644 --- a/clustergroup/values.yaml +++ b/clustergroup/values.yaml @@ -1,6 +1,8 @@ global: extraValueFiles: [] pattern: common + secretStore: + backend: "vault" targetRevision: main options: useCSV: True diff --git a/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml b/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml deleted file mode 100644 index fc0b410..0000000 --- a/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.{{ .Values.global.hubClusterDomain }} - path: secret - # Version of KV backend - version: v2 -{{- if .Values.golangExternalSecrets.caProvider.enabled }} -{{ if .Values.clusterGroup.isHubCluster }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.namespace }} -{{ else }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.namespace }} -{{ end }} -{{- end }} - auth: - kubernetes: -{{ if .Values.clusterGroup.isHubCluster }} - mountPath: {{ .Values.mountPath }} - role: {{ .Values.mountRole }} -{{ else }} - mountPath: {{ $.Values.global.clusterDomain }} - role: {{ $.Values.global.clusterDomain }}-role -{{ end }} - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" diff --git a/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml new file mode 100644 index 0000000..05ce87a --- /dev/null +++ b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml @@ -0,0 +1,22 @@ +{{- if and (eq .Values.global.secretStore.backend "kubernetes") (eq .Values.clusterGroup.isHubCluster true) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} + name: golang-external-secrets +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +{{- end }} diff --git a/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml new file mode 100644 index 0000000..62253f1 --- /dev/null +++ b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml @@ -0,0 +1,34 @@ +{{- $backend := .Values.global.secretStore.backend | default "vault" }} +{{- if eq $backend "kubernetes" }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: {{ $backend }}-backend + namespace: golang-external-secrets +spec: + provider: + kubernetes: + remoteNamespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} + server: + url: {{ .Values.golangExternalSecrets.kubernetes.server.url }} +{{- if .Values.golangExternalSecrets.caProvider.enabled }} +{{- if .Values.clusterGroup.isHubCluster }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} +{{- else }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} +{{- end }} +{{- end }} + auth: + serviceAccount: + name: golang-external-secrets + namespace: golang-external-secrets +{{- end }} diff --git a/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml b/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml new file mode 100644 index 0000000..8fdd4ab --- /dev/null +++ b/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml @@ -0,0 +1,44 @@ +{{- $backend := .Values.global.secretStore.backend | default "vault" }} +{{- if eq $backend "vault" }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: {{ $backend }}-backend + namespace: golang-external-secrets +spec: + provider: + vault: + server: https://vault-vault.{{ .Values.global.hubClusterDomain }} + path: secret + # Version of KV backend + version: v2 +{{- if .Values.golangExternalSecrets.caProvider.enabled }} +{{ if .Values.clusterGroup.isHubCluster }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} +{{ else }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} +{{ end }} +{{- end }} + auth: + kubernetes: +{{ if .Values.clusterGroup.isHubCluster }} + mountPath: {{ .Values.golangExternalSecrets.vault.mountPath }} + role: {{ .Values.golangExternalSecrets.rbac.rolename }} +{{ else }} + mountPath: {{ $.Values.global.clusterDomain }} + role: {{ $.Values.global.clusterDomain }}-role +{{ end }} + secretRef: + name: golang-external-secrets + namespace: golang-external-secrets + key: "token" +{{- end }} diff --git a/golang-external-secrets/values.yaml b/golang-external-secrets/values.yaml index 8a37f55..6ecd32f 100644 --- a/golang-external-secrets/values.yaml +++ b/golang-external-secrets/values.yaml @@ -1,18 +1,25 @@ --- -# Eventually we should aim to move these two under the golangExternalSecrets key -mountPath: "hub" -mountRole: "hub-role" - golangExternalSecrets: - # This controls how ESO connects to vault + rbac: + rolename: "hub-role" + + kubernetes: + remoteNamespace: "validated-patterns-secrets" + server: + url: 'https://kubernetes.default' + + vault: + mountPath: "hub" + + # This controls how ESO connects to vault caProvider: enabled: true # If vault is exposed via a route that is signed by a non internal CA you might want to disable this - vaultHostCluster: + hostCluster: type: ConfigMap name: kube-root-ca.crt key: ca.crt namespace: golang-external-secrets - vaultClientCluster: + clientCluster: type: Secret name: hub-ca key: hub-kube-root-ca.crt @@ -22,6 +29,9 @@ global: hubClusterDomain: hub.example.com clusterDomain: foo.example.com + secretStore: + backend: "vault" + clusterGroup: isHubCluster: true diff --git a/scripts/determine-main-clustergroup.sh b/scripts/determine-main-clustergroup.sh new file mode 100755 index 0000000..6271dba --- /dev/null +++ b/scripts/determine-main-clustergroup.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +CGNAME=$(yq '.main.clusterGroupName' "$PATTERN_DIR/values-global.yaml") + +if [ -z "$CGNAME" ] || [ "$CGNAME" == "null" ]; then + echo "Error - cannot detrmine clusterGroupName" + exit 1 +fi + +echo "$CGNAME" diff --git a/scripts/determine-pattern-name.sh b/scripts/determine-pattern-name.sh new file mode 100755 index 0000000..fb503fe --- /dev/null +++ b/scripts/determine-pattern-name.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +PATNAME=$(yq '.global.pattern' "$PATTERN_DIR/values-global.yaml" 2>/dev/null) + +if [ -z "$PATNAME" ] || [ "$PATNAME" == "null" ]; then + PATNAME="$(basename "$PWD")" +fi + +echo "$PATNAME" diff --git a/scripts/determine-secretstore-backend.sh b/scripts/determine-secretstore-backend.sh new file mode 100755 index 0000000..ef78479 --- /dev/null +++ b/scripts/determine-secretstore-backend.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +BACKEND=$(yq '.global.secretStore.backend' "$PATTERN_DIR/values-global.yaml" 2>/dev/null) + +if [ -z "$BACKEND" -o "$BACKEND" == "null" ]; then + BACKEND="vault" +fi + +echo "$BACKEND" diff --git a/scripts/display-secrets-info.sh b/scripts/display-secrets-info.sh new file mode 100755 index 0000000..124a345 --- /dev/null +++ b/scripts/display-secrets-info.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" + +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +if [ "$#" -ge 1 ]; then + export VALUES_SECRET=$(get_abs_filename "${1}") +fi + +if [[ "$#" == 2 ]]; then + SECRETS_BACKING_STORE="$2" +else + SECRETS_BACKING_STORE="$($SCRIPTPATH/determine-secretstore-backend.sh)" +fi + +PATTERN_NAME=$(basename "`pwd`") + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" -e override_no_log=false "${PLAYBOOKPATH}/process_secrets/display_secrets_info.yml" diff --git a/scripts/load-k8s-secrets.sh b/scripts/load-k8s-secrets.sh new file mode 100755 index 0000000..33c2f9a --- /dev/null +++ b/scripts/load-k8s-secrets.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +PATTERN_NAME=${1:-$(basename "`pwd`")} + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "${PLAYBOOKPATH}/k8s_secrets/k8s_secrets.yml" diff --git a/scripts/manage-secret-app.sh b/scripts/manage-secret-app.sh new file mode 100755 index 0000000..1ea0d0b --- /dev/null +++ b/scripts/manage-secret-app.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +APP=$1 +STATE=$2 + +MAIN_CLUSTERGROUP_FILE="./values-$(common/scripts/determine-main-clustergroup.sh).yaml" +MAIN_CLUSTERGROUP_PROJECT="$(common/scripts/determine-main-clustergroup.sh)" + +case "$APP" in + "vault") + APP_NAME="vault" + NAMESPACE="vault" + PROJECT="$MAIN_CLUSTERGROUP_PROJECT" + CHART_LOCATION="common/hashicorp-vault" + ;; + "golang-external-secrets") + APP_NAME="golang-external-secrets" + NAMESPACE="golang-external-secrets" + PROJECT="$MAIN_CLUSTERGROUP_PROJECT" + CHART_LOCATION="common/golang-external-secrets" + ;; + *) + echo "Error - cannot manage $APP can only manage vault and golang-external-secrets" + exit 1 + ;; +esac + +case "$STATE" in + "present") + common/scripts/manage-secret-namespace.sh "$NAMESPACE" "$STATE" + + RES=$(yq ".clusterGroup.applications[] | select(.path == \"$CHART_LOCATION\")" "$MAIN_CLUSTERGROUP_FILE" 2>/dev/null) + if [ -z "$RES" ]; then + echo "Application with chart location $CHART_LOCATION not found, adding" + yq -i ".clusterGroup.applications.$APP_NAME = { \"name\": \"$APP_NAME\", \"namespace\": \"$NAMESPACE\", \"project\": \"$PROJECT\", \"path\": \"$CHART_LOCATION\" }" "$MAIN_CLUSTERGROUP_FILE" + fi + ;; + "absent") + common/scripts/manage-secret-namespace.sh "$NAMESPACE" "$STATE" + echo "Removing application wth chart location $CHART_LOCATION" + yq -i "del(.clusterGroup.applications[] | select(.path == \"$CHART_LOCATION\"))" "$MAIN_CLUSTERGROUP_FILE" + ;; + *) + echo "$STATE not supported" + exit 1 + ;; +esac + +exit 0 diff --git a/scripts/manage-secret-namespace.sh b/scripts/manage-secret-namespace.sh new file mode 100755 index 0000000..bcb0674 --- /dev/null +++ b/scripts/manage-secret-namespace.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +NAMESPACE=$1 +STATE=$2 + +MAIN_CLUSTERGROUP_FILE="./values-$(common/scripts/determine-main-clustergroup.sh).yaml" +MAIN_CLUSTERGROUP_PROJECT="$(common/scripts/determine-main-clustergroup.sh)" + +case "$STATE" in + "present") + + RES=$(yq ".clusterGroup.namespaces[] | select(. == \"$NAMESPACE\")" "$MAIN_CLUSTERGROUP_FILE" 2>/dev/null) + if [ -z "$RES" ]; then + echo "Namespace $NAMESPACE not found, adding" + yq -i ".clusterGroup.namespaces += [ \"$NAMESPACE\" ]" "$MAIN_CLUSTERGROUP_FILE" + fi + ;; + "absent") + echo "Removing namespace $NAMESPACE" + yq -i "del(.clusterGroup.namespaces[] | select(. == \"$NAMESPACE\"))" "$MAIN_CLUSTERGROUP_FILE" + ;; + *) + echo "$STATE not supported" + exit 1 + ;; +esac + +exit 0 diff --git a/scripts/process-secrets.sh b/scripts/process-secrets.sh new file mode 100755 index 0000000..509d6d7 --- /dev/null +++ b/scripts/process-secrets.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +PATTERN_NAME=${1:-$(basename "`pwd`")} +SECRETS_BACKING_STORE="$($SCRIPTPATH/determine-secretstore-backend.sh)" + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" "${PLAYBOOKPATH}/process_secrets/process_secrets.yml" diff --git a/scripts/set-secret-backend.sh b/scripts/set-secret-backend.sh new file mode 100755 index 0000000..e07b15b --- /dev/null +++ b/scripts/set-secret-backend.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +BACKEND=$1 + +yq -i ".global.secretStore.backend = \"$BACKEND\"" values-global.yaml diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index aef52f6..948ec58 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -186,6 +186,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index 3fcca69..541d612 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -347,6 +347,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 5678d8b..e7c6620 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -306,6 +306,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index ec8099f..de02651 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -76,6 +76,8 @@ data: syncPolicy: Automatic useCSV: true pattern: common + secretStore: + backend: vault targetRevision: main secretStore: kind: ClusterSecretStore diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index a3dd7cd..9bf3973 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -268,6 +268,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example diff --git a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d92ef42..e6b3d6f 100644 --- a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -9225,7 +9225,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: diff --git a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 43c5d3f..3fca772 100644 --- a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -9225,7 +9225,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: diff --git a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 43c5d3f..3fca772 100644 --- a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -9225,7 +9225,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: diff --git a/tests/golang-external-secrets-naked.expected.yaml b/tests/golang-external-secrets-naked.expected.yaml index 6b9d303..fda0917 100644 --- a/tests/golang-external-secrets-naked.expected.yaml +++ b/tests/golang-external-secrets-naked.expected.yaml @@ -9225,7 +9225,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: diff --git a/tests/golang-external-secrets-normal.expected.yaml b/tests/golang-external-secrets-normal.expected.yaml index 43c5d3f..3fca772 100644 --- a/tests/golang-external-secrets-normal.expected.yaml +++ b/tests/golang-external-secrets-normal.expected.yaml @@ -9225,7 +9225,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: diff --git a/values-global.yaml b/values-global.yaml index 24feccd..684f89f 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -12,6 +12,9 @@ global: email: someone@somewhere.com dev_revision: main + secretStore: + backend: vault + main: clusterGroupName: example From 672da04a64123630ad2ee8d004a9900a1e821b2e Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 9 Feb 2024 17:02:49 +0100 Subject: [PATCH 08/64] Upgrade ESO to v0.9.12 --- golang-external-secrets/Chart.yaml | 2 +- .../charts/external-secrets-0.9.11.tgz | Bin 86686 -> 0 bytes .../charts/external-secrets-0.9.12.tgz | Bin 0 -> 93006 bytes golang-external-secrets/values.yaml | 6 +- ...rets-industrial-edge-factory.expected.yaml | 3982 +++++++++++++---- ...-secrets-industrial-edge-hub.expected.yaml | 3982 +++++++++++++---- ...ecrets-medical-diagnosis-hub.expected.yaml | 3982 +++++++++++++---- ...olang-external-secrets-naked.expected.yaml | 3982 +++++++++++++---- ...lang-external-secrets-normal.expected.yaml | 3982 +++++++++++++---- 9 files changed, 15434 insertions(+), 4484 deletions(-) delete mode 100644 golang-external-secrets/charts/external-secrets-0.9.11.tgz create mode 100644 golang-external-secrets/charts/external-secrets-0.9.12.tgz diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml index b60b499..38549d5 100644 --- a/golang-external-secrets/Chart.yaml +++ b/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.11" + version: "0.9.12" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/golang-external-secrets/charts/external-secrets-0.9.11.tgz b/golang-external-secrets/charts/external-secrets-0.9.11.tgz deleted file mode 100644 index 0f813640598414f183461f5f42e9d774fd723a86..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 86686 zcmV)LK)JskiwFP!000001ML0lcH2g_C<^Ddp8}iNYuMhONJ_Tj^!B&2)>0%VtrcH1 zB*i{G`t*p4BqX8*0$cznSxM)6tMdZq$-X&fT~N4Jksxi^g|Sx0BB}~iv#RF(;(yHi zBx2z(^{0uSrQ>hKJ03l^~}f8j@&cNr(%FRKZ>_A@_yFpn4h3vZrf%k;%~d=+H#)nqh{ z7vsv2EC28ynBu2o*M!}Uc=uK6C-5qRubGWBUa%k+$EBGIlT=}DAboJoc zzq^f-S^DC^(7RSsA66zb^yI&=m4eX2fB(Td7#;lY(f)A%;RF0u2LBIlaXcUX4qtfJ zei#PPV#;pfyZ^kx-*D;=JTGDhAO7O{0spJ=;p}b+Kf|ts!Ia?+Jh+h`7rV3J{#PKD z`HN-901Ew40(<=b{NU+xhyQo+wCw+zw-+zZN7=`0({FU)|L2RbeuOj!g=1p>E%Ca_?bn)fqNq!->Fe|RI#GyN3^ zp7-aU4>m=~JAGR2|8H>Kmq2Ys*>W>pu>JlY>_6RqUcCQL_Mbg>_kSnPAAgMh*MpZI zmw5Q`k{};~Hv|7YrDOfze~sZ#|MABVFv2BpH{PIpW=7a);0^O;crWF(c!ML3-m!4y z^OkRcg-L>$@BPcml2tVIo}Y7|Vxg;gzCk9^uvZ;o{3L5K8j? zd&R=wG5{O{d=f2S^x(bE$ENlfegPMQm~F~{i}X^wt2wjEmknctGr$9I?ZaRZWE^W{ z^C0ye0p>xF9KSiowupbyr9TC9b8-pDD)d<@V2AuEFo7wD9{(-KI3ffb0w0HY!bfQG zVz%87#>Pb`2bT({@}&Z-XwvxJ1n^<1#`&MLh!;PY?`%Ft1r9#Q=#0aP_m%T3{AfA3 zWddCHr8oGubog)Spfnc$sQEdo|7YR!Y1@i-MzG_!rL?u;obXm5oA{y0_EPhFZ_8`a z!Oj0IL=ad{0%V#2p&a~w2HxPef&Hb57Yi7OrkWZ|l{e&b1%$X5rSmaOpGaX4O~ci! zWr-s`iI#>bY~U0q@+JOEaitpgok8+&za7;)y8piv!# zi?*}jo{e7{bd6^ZN|S+h1k&oY zGy*MlJ8J4>4B;{bvjN&olk z>652U|F?@rAPrPyG~7giDIP^}R>6+g^fhtK$;gk`B=jG1<|;QT1A$M+HwO={gJ|}` zJ631t0kE5F#xnLo*+N@+2#sRa@ezECbjj)%2l`nT13bZe;)4_alDi=fPJ&|w7NBnAjsGTSI zxwg$%#^Mw`TV3oxSd~;rCcM)IvQQPe(aV=_?;!--c4FI%Cg6s}| zg@x#=F1*+Xg7Y}d-uT&VoLsjpNNbk&6*_(LbCFXR3LIX=%cci5ZCZBg(p#2)@T7Y5 z3ouZ}@`X2O1_8A|%o(QvqCDvTqN{bru3#c1b4fvoH7L&kuf}N%*!iw)Klt!V)wZ}8 zmRzMeXoj>MwYxF&hQnzx8z%mLul$ui3;?dl4GVv0L;ckBM6@h^8pji-e~2gH2ODB8 z6&uaN5e5IDp03x-1HaPWG}LHTvk>aEA)C#TA6ia~Qttsp^&>z4NmdIJ-0m%jPe7aLHbdZPO$p9-m8JYt!XZEeJKnGfWMcv#wo@;+e0^D5{tK>qfj`*XP;g zCEgqjL&;yZ`q?ao|1C>v+K*fQ_%aUTtGn|h;t_a}!mb8|gWT9;Q%0vT5si^ejW?`FNmhIAWc>j2{KvDu6#p9aEJf*!FNx-E9rlq zKY8|@)Bo<`G1mV!>no1cq4<#>3a$yBnW~Iu6`k>tWZPV8d|LfTzv|=RayI!KRLD}* z)`9eEV7>^V!y6Wa2v9yf{g+nMZ!}tgF0C;=_VL$v{C@AI!!2O)WEFBDap=K9e@^1nQhZ?O4d53XIl{%KVx?RmToTNo?G%PuCqmu;zSewDnN-w z+nuI4->@*4QIwWA1u~wB?Q-T#vjZf(j8QJDn@8c>`lN2x`qYiz@Ev|-Hd}}|lsf|F zG>(&55Si>hu}z)xDuJMWF2mt)15EKF`~au$ULXvZ?wNmyV@lY!tQJ~T(PAHKOIMSB z0-qyLSNC{!mQ_0jTduKaguSPX)@S-y@PA@w?ODJs`Txmx75?w}!M@}FcJXY=|4D0+ zJRBR#{tAtYTi>&wpPQwOak!PoR~a6xe@8E#6GR~X6STf5gWs^zVpg7?ZZfMH^)k$q zl5vZnZqO^6_=>W2e}eV1`zu)AlgA$a3;%TsGSG$p559j|!vEhLIQf4!&!+glKCEDU zO+Xp_OQz3`3fOR^pIqrHhiZ3@D}b47%0>6ib}~|^Q9k@>G@9n$nHb)Mr8!c&yaa1;SlRHi~ozJxeR(rkTFf5jSO@EHE|XvKmJsQ-G3F z4VaYHHf%OKiT+6fOieTi@c;|alwzB)>2S)1mr1;6VmSW%bG)wGatRO`_kIPp7Xz&) zt00{5+1zNEJ`bLb_7!VYy!7b^`l6FnoYec>O2PDsD=j-(3yzB)08G$y6(>RNP&X`n zUDE>|9-ST1iwpGvb=$wxynF?}bD1_=B`mBgiQc7i5NzMDMaRc6yWJ{eNqG>Id#5qV z;%e(=4?LL>Na?&eNN)~UxSX>C@u3uu$wGxHc^(WC9iE=NdwO1a;dzDhtApY)Jpk$| zi7=hi;qREP?nrw1dS~2RbLY`qy==}hPvo(qL`9faZ@Eh6u(&bC6JSa!iY`b;-Wyi6^D`cXy(JJQ2#D7@CA5jgY53{$h*L- zT4Fu~#hEvYZzG;?3-kY}aEs8t@k5bgaD+!~MD0i3NdyC=qPqvf@d)Z!!)!U&_+&@k z{~dvZ;lnpE;YCf7S^_6hzwsoDCp?cVHXa`y9uMChuCn=PG1G%MmI=%v$%3*^t%gDi zzn3=lA@0724&m!a2@v8mVH!p{89bUC77Gvp-~&8GjzdIuUQEjS5eZMw5l{FkoOvAY zWzc6DUq!+1YP3|snNpLqhAf%RgA7I|crSw?O*SGl3LySgS(hG`z{k~KaKzETqrV_z z(F$wC77;4EJH=9TDN98%nmY8J+PXz#rieQiyGXn$ltp5q##rE=OG!J8)Xm0Q_3>61%u0dyx=hBdRqi<`oEj%0pD-&@8ro^KW@3Rfu8 z?|?XYnp&cHEnjau-{mGXCt5y2X>tloO1V^A9|vtZ6N#>%oWP-1g&FS=I#{ zA3kN-y`0Ep$+soc7%FYmC}ebe&vgFyT>FjJy>$r~NG9eD6HAan(H|VTinu*Yy$^`S zKky`|+NA;dhPhH@R;E-jAiNgxV!D{c8}9`ce}A^=iN4FCXZY* zgoimJvo1S_IWNMP*>T(NOPzFfPQKeVzg;xm*|2iw<(?$1@!aaQDeO?GBy}cGud{1bcU2Zv8NBfWeIyXNmeehpV?Y!{!}LT3`FoO_0P9 zrc}GYb~XJ4;9hvAt4SD4kHUCWrwJ(Ppk5ZoEnx~N7s5#T43wrX6}lz5^wT(sVCqz| zCYsfvMvn5m9}5cid?eCv(B#E84-b#kw?=evF5@taZ*jnU4p_%R1<37rAY@|+9^V80 ztxe%|6%R3Q6`bNsQ+%nP7&X#XosO>JZ(kjJ_e2Nqp7-nd&!`%sCgP`~c@Q!2@1Ol- z!6N#jtU2TRx?0qqykW;aVvEYR8`|X)YG|O%vhid#+$5=HtUr?4S)$1PpbMlnze+Z8fRMmV*k+6{gy(rd@7u zG$4z7{yQIv;_3XWI}jW+Bfc=`%dh2~&U~~qyek-(IW%shVVUbixK37^F5f5}y!Nj2 z)%0k#;XM2i`Iv-JvLU7Or}m5aTAnWdFTsTt^S1Sx|M~mvsmo_50uZCn8kyt!x)?px(O^q#tPaTVe+^lz5iz#N2f$bxl5E^ zSj;(jN#!Xy&-}|#Nlxec#!Il4*`yMSR{fe_)h~jYA*EB8OcQH2IYf0#V@jLs-K z7c%EU=3K~19oBIntG${9M>0~n_$f)Uh)ziDQroR8$+np$idgt{!@4TdMFpM&f->le zp*)EzxYd^PUvvO@no#)uPe9r?nb> z*|nLku>eAqNibRhUN=R_N>$!BK9)@vq%xCZyd3)Vm3s9UeaN$0-{;N`T2W^~lCS+c zUfdmDpK|?ULLYAUZimsVFs&jyHkzdOh?py!*y#Vj-~ax&e%8$f9y7CP;xFRN@30G( zmU$-ol*|%*EODS|x^ng0*;c%GBzTaqnBm=cG9B`-fpon_oT_CwR5Rg>$H3- z>(DX(hd~DoEWZkGM^U?tX;bjz96CpAwsjPrq46Ba1`-9+c-Cf`Mnr58j-V)fA*=gnEcgXIJT%b0VDMUP^2$==2^Sy)+Fl z&1k&j>Ke4I{)7YU(IiIlY7$~JnwI(DG#U;Y(uDfl7>TVdPm;X4!V#ZI>-kg-DA^iC z*SPfb2z799#+HxwP#u@9mYANV)p6f?O*i$D^x8|3=)QJE+ggU1a|WIXxXP_<44v}$ zP57k?sg%6QM4tjjgt!IJ3TF=lizHNzJO)50Ef9PnOfV?)B>pK65HMI>CqTJ$ZpRUw z%RU}M*Nc?Q(r`l1@gRW{zzyeI>?f>}ub3ZpvVNn*7>%jWpq&d^u#cJ$3v<_PKBaW4!tJBfO7 zuuFIweZk7Pxn4D9Id#&Vm7L{-BgrXC)7vA%9ksa8~bT;MK0Xm37zMpxoZCF-KM&`*64`aR!94NWFE%=Iy?trQ2=p#U{- zwQY9Z#(VP<8k$Wta@ZJ&wha5^H9f4pv@}8`eGOp_CWDUg&yqbfjnH9 zm!QHtxymKfJWc_KN1@QA{&Xnz%~r==NEA8WI#RqCVvw4j@sBz`TieCs7oYPPQNoSMz4+1ehb zW^-yb{#;&Ndxu+Jx<8iOmG%IVL!)KIJTmphhr-~ z4O?L*f)^l;S2?Z00YX95w>AWD3ZRoU)CARe_OBSQ&{9z_iXEg6y(Gp+HiofIF}jZ> z+%b=^FanXgS#^WlChQt;dG|c+Jf_x~NX>TEQy$ah_oZyXGkKeUh;KnaC7KdFrP%!o zDH$#^;4iNHO!{&za(_(GPH`cxr9gis2Fg!?OmZm$A1PklXi9y}*RNVJT4Zg!v$ zwCAA7f>a8-DU2!&hipM9@o*D^1?HK%q>Cn9OS#<)86=NgVO}Yvx6t=nncv=FwRS!d z#(whNgD4&Bd4p9t@E*ZoAN;@nPda!EKP>2H`kw{<&wSv$=6PUKpY#>K`$?>Mg21H` zH30*da5OF1@D3V-e>zWCF}~f%V`b|&%LG$(;iu07D;ZtzE)3Kc-Z7YrNlMrj%+iSg z+Vv^&S~q^2?f`&6*xtRjw^5^)5)K#odh0VxAr_gO@Zwp$;A$J){k|G`SPVkFpj>G} zXBkH%Sm*j5Kk?e5qvd0A5lS#=Jx2m-wu7x41zs3mK_OX%DECFOOo%{FSwV#&V58rh zhxG9_YiGB`YS_5~YLkH2(X`#N(QEX7>uA$qmNL5IrL$+>ZCDq;PV>f-3BP8BZb7y-MB`bn*?gTD@yD=$ zkN#L2^i@Z(%ZHY8)G+P4ZaY);F?Gi)KEw4sh8@uf=P;VB)qhRs+L>tcsdjn))=kb3 zcNIHzm)*!8bMxXg)0Y_~(L%ai3Sj_xF$Jt(o`kgPS!JFIr=c zTdugIYCfD(j8>e~O}mmqQpEk`p})!JnY$nx zSqsaZc)DNABaT``T9H@{xseb;;02L{KW6?5nN$zo95+|Vw8=Sn*z$3alUTkX&6M(> z~?Rcs{kG&j!9jC1JZ6AFvG&f{eHYVik}A$Q*t z3*=6$X=fQY!^x=oj7zS8#n8907*HJ%C0&FN_5@z~>ptaP%^z*z<1Zamw+hGEoiSufbmBWDicF z!JbO=TR6)KZ<8H+LMER+=T6$9)8rs!Cq~!v49JjXPuhqmb;)uxK zsxc8Fw=KI9Q-dUT_ji8><*ABi@OMo>LvUBC4-ARdt;6sf1(ch6=%ZBQ~QbVARju9 zg#zl-IoFmm-hD~cDsYag#4qx`m!*lrfXgtxBWj7rE69j7W@%HbS@$I~DAn9hq*>d2 z{(}xdDqfx?cSK=qpvfO2KSf-&;jGW7F;4k*eplzWQr`G-ZRl;@|Mrh;aLdUtnO7{b zxGkr3z3OhvEqORLUTZ2kt5^FfKHFd(8emoPv#VL^yPBoFK8E!_#ajxBv@8DkO-KFD z=kV&gC#CwIPrrZW>VNL!*`)qwA;`cL|NP2}e`+Y=6ITAz&Lq98l>O8iG}ZjnSHekN zUBS<^q2Q<1`$7NJK9x7KjGjP+16=)${DRo~L%7yQ_HW`8(`1f`a&Uikc5gX-c{B zHc9Z`FVElVirh!2t-gK%J9LG{fsy#{QOMF13Cd&A1(!Ne8WUI#Yy)YbxaK?0P@**@ zB^F-E%OFJB14HS#|6nAU3$`vGs#Ri@@xh(o_*I2Fpa8cL!nN!^^4`iQLKShmP!Yp5 zV;iJ6Sp-p6lg@Ie*Zy4yJ7MGra3~t*OH4U%QyDFs-bGWD25*HtLEh;ddeNxGH+;{; zgf8d&^ZUbP@ax$t<0vCFm7m{Z&1vt~BrMk?DwZUr;AexnL`G&#w#w%GQg&pSD9#yr z>F}m7K;3qR!y=}dlDh)k5xLGjBBOGf7tX{go?7-e!fIW}?PDl8dirxsRP{}2emJf4Zchk;3&6Dxl#AawgS zg|r@3(~^P&`NhBGKBpBUPX1Xw-j={*A!E|FS)97*un<>As@_;(R+N*7m%1jtYauF%&XvYjW)(b;MX>o8_B?*!GlAl>4)LflbnR8VEhC5YR; zqAsD-`gK2+Av9~mUDyUT^oWcLoPa~hpC?kbO&V($H)4V7&1W!F;)6j`jc4y@Z9G?F zCc2zrjq7!}f3{4DRPdYUye#~ihcM_uow?wN&rW2q3&m?4iXl{mzA`C`+p`SWPZ}S` zQ+Ga&r~W$7w-ry#FZ_i;Bp5#Bk|aemrgX&*F%X526jhlhotHhdCZvT6142A>`M_-< z@*?ot;{I!D1U0swW?%HidD zUU-wc)2SE#~-IpkHW4c%_-k!OknEm;=5KlWI5SuEp3YFcR@DEJxlhwK@c$ zSkN91mZYsC(R{#h*q}KeDSwQwp9z9(MXbVSi2Tpcqb#c~s0(LUP1XpN*3MW4$!Ilq z3EV+bE{3({Xp;Y;8bXQl0D$IT<7YZuVdnW%ZT%i9jt56FJKdnKq?#SkKzT#;>3+av zrjj#I2DU`$=@V)t2PTQv%Z@8;O?79HhIXB^0)#eUlg1>RMMjvnwR7zeeU8F-HS5K* zr^CghZpP9%@o`?6wl7i5BpS@ z#=&eVanxaAR1C_B-@@^!$k9(h=${(ZjkPV55{LdaW}foA1f~u$7Gv932TJ>6*rNb( zgFXU=1}!zHd|DHPcA*vO^X74=>Lll~IuG+#ILqvk<701m_{G0FIX3d!t6dZl=)-&< zXM%7#f^96p=?ILPTWJ;H!U`w)er~@wAr1pL46ubII1FIad`r$AMJ~anTM5PNP=A^D zSFr!>o)xt+;u&?+F1pgIb;yAE)HW_+hM2SEwOrfUqVug`NX+|lJCPaM3p^o$p?5Af zKO~7+j~&CfIayLY^6^}<Z{YaZvH z`*rbFpWZ)r+q$Xu=N5V?WC}DIIEm3WR#O6Dq_Xas3csq1y__&ptYe%AYYxYtn1fBD zEKb#>KTgo?e4L>Bbs%HQ2(|(m+U)k1ahk&b4g+jq2@V4oHQ%{I99O!StCN6D+O{f* z8a)a1uDP7$;!vJjkQ zcZs3pC0g>?h7CdR?XIsj^T)@Kh4}*57b}8h%C>BuWwD;NF{^U#*%S-V7_%q*Ql1-? z6K%NHN7@kXZo9kPp_gnlF*qgbrvM||#v9_s z1P+m<>r}xiSk(|c?u(Ndc#p(HA7i3OQFN_{hJYb@l=%@uE@V&fBYOoT_!tN0?DkAr zl?HM|@q2D=!mN5%QEpON#xw6x>iZsJvmyL33`EPvZB|knOBvpS>cI$r#18zLgvLwa+MHeH9yZaI$z`mo4ZCF5 zjkl>(&h6UQcasSv7?BRlULH)5%Np}YS1MAvfyS#Y0lWSfpiOfj&q&0xz`z88{zrVx zmIfXHR`qGunv9j5;-E^;zjEDQqe8v=LO3i;5?D-Aj5kU8aq^eBqV?&vO3S zN?rYP9Agz>9t(OJvJ8DnKeeyxhOVvvg&ufUV~-;{7f)xmzmLi>e4O3hb{+SP^pwbHaDj<7;=q zw~3o9(GK$-28k*(@17j}?$B_xG$AVGvfaFg>?`VXrz&P#8(Qu>YeM*3)<{gs^1Y0M5xwyb;2_a8NDoEkRrkj<8)dsVvmTXWZqJT|C z-m!Lov`VxljYu=7=~XWoDFW zLwT1!Z=#!*ax|j7S{+*(5?m;ND-QcTp~i)&o5wbND8?i%Vg(7*@N#alU+&6&s% z!Cifipg*OE;C~_&W-`?T(RW@>vsXKg{O;y93RghIF&mEA_+pt2FULv_S9Gq};R-Vt zIb882;tGqLT)M5!igzO6AQkAuAZo>0kFkE2d?ioy<-rvKxX=Y-P zF6E(}eL}BdSd$5i;tV%6s3ZGkQJS-4PuG;Zd?4>|HiMVFRBkgV)>@h1(IM}|(J?RG zI@C(HYK1{NhBYjLijVQRH7kZ%S=7Tq@_qj!+`)*2Lvap9K|H?MA3Yl#jFF0szpZU> zz{2I69gL0+7iiiS`%L{*Ud!%kK;_&D4uFP->f5L zOyg8(PFpCXijP?_ReX#Ks`AFBMOE>!0Hcj7w~=7cS!6YzpaBu?aNWX3k;~k^I_jpJ zyl2luDqmVB>oOHEZhJltD7f}*mDH+(O@)?oM zn7XTxcj~ZK^5l?}60m*&OYvkR@#+fG(*j}6f}27xcAuH{E&;fHf-taG!Tyx@l^!VC zaFPlio}M6#Z%_{bOox-qon*fL5}agi)ZEZIEw1G{BE%{0D!g6=rcL0M;B`L_t|Ejf zy^Xxnm#>9Px91{d99HOm2@We5HSawvRipL>t#fSCo23L(noT=zc{NGeRADVKg!lI7 zaSuVEE2Jbe3oU0USa>;afUk+&u0>3Ie+dF2sXpC zy>$H8bhj;w*oXo);<)n80_pNwXNGlMzTe{G^8I$K+vWRp`F_^}$1d~z5(+fNQtu?f zR5blzTHpW_o5)dXLyD9g#8`LMmbz&%Gju|(6>2pQvr)hQm8J9G9_iiRscH-TgkJ-y zJ?p3lSDiiYQ#VCEJq}vp*p^FAwe=SMbk3q6UF_uxO6YAgljoK;i^}~L!rV&Qhd%Y= zOV++~IShmW4Pb_|w$-OSJcSR5OIm?V&iQ&1HoeC5-EeXjND(+R2(o)fSzmYqF@r&u zmjOOjdITJ`yJlErX}AnMDfvt))4JA3OjPP;#67K+6|;~I4grJS?c>G1mCc_pYZ!B4*Hx<9CCGX1YI{+I6;3;5_WR%3@r+I;VHS z(J=KUcVtk1M~15aL;`rONuBj>xQ zJ!i(&S)1+p@Nqc4^Km%d;rPn4KKohlDXOxc3buj;)exkP6Pwx3GCpyb#9@+tm*6mo zQS*L-5C3^<$B6ycZ7meUQZvZ|Ckp>=x+nnXlhv)B_=*#J*-7|~0q4f{YNpYbLi(9`Pk3vO31$qhFGiK4zk z+Hj<5LtC!DSjGv~7is}j4wE{=lZq>y;lcY*F#vujCLCoRobtx6~O)Y+(WBtmygM6ExT zcm$s{a7o_H9G~E0!(HOD+w2+nsw{zF&2d)Nc3-*9H9=;VQ3D_2tQz@@48>&o{2sOy zPpqe8Z8!wZdsCw!^49kDLiq4@Y=vuC3b`T^S3)8~vldec4V!5)cVrFJWCf*{L6(Uw zYih2e$;Brl)l9o&<*a#5KePT4oPNfr`KPev8GpGuowj_M(rTM1e`+{Aj>B?)9=SiW z%AppUXX@L8j}6Wus(5NktaG?+O0(-hX-K;BX?!LW{IHaVt1Oc8T|ASNJxx~&e+0eg zmq~z{gpy}h;nau>=c!N8#Ud;|4uff6Cg$&&*b7gd3Mksvh!nmyN>aLz=VA4XQ-eIo zzsSuJuQJX~?0FyPqJ5B#qT&Ek?>O=$B30daCOqkZ6OdR=MoSj7F5gKn6Z9LUJF7YJ&`L!&Opj# zg-;?C~j`4@vIGMqlAkp+)uZ|B-x9&w?t=dI^Y$_+#t;|3|#83Ax8}8ICP3^U$X9Nn$ z($Eni(Z|8S$H_2VkCS0+*YTB5Oe+~iqIYYo@~h~`jYm0tpx9GQ_ZO9%jLtq-IkLrS~WCRPBd4ovxJfEP^huoea(oATz?-s8|<7iRXyJL+?jy68bZNA`u;pRB4dg z+uIR^55S2;kYVMISv*b0GVKM46ywBShC;mfmW5$_`A_&+y~ad6Y=Xw^D4z~)-vpBcqPd#1 zWu05%tND%df!cIrW|wlxKk&j8R}2@Xw^H%gf*+u?1Az2=9ho+bGX2r7|R9>{i8w6L5A) z$Z`}9q8t(ML!*tMidX+{z_Gu_d*8}rl#;LL-2f;l9n&C;&u{!?c$KbgnzwNVbZ_q?rD7C7cz`H`Ps!et-MCgBh9&4y2! zNJW!)W}fc%M`*mc47nZoUVy?$_#5ud4kY}Rt#UHH_Ba{e$@osj7Y~<6Tkk%wc>xy_ zP7QH|At(xG;;(!no34jj^^CEsKS$nZ;{;b`k;k2Lai~Z_!4*w;f`LmB!K8UTUn$t4t4Z#fC|VD+tc@jB&yO`JkZ z{Z@>8UQIKITA8=oy|yu5O}sLvycfLvru4p}^lmMu0e$c&Oj+1g#-+F9{ApW_-yzOs zUB%2D1IqXjgrMt5{Lx4~^Ec}8iubTm((s<1?Ak}p{$=n|Xx)vskk4Xt6vnF=RYH_{ zd+!m2O+17_M^k(|;=mb2e)i(ov!@RqZ+g<~OAG+s2_g|TqU)+7A8UPIki{295_MuO|jbKb3lV&L^15$B@05oPVd=;Ko;!d z86Tzz3R=R=r%gua?gX2(;1hI&0QBGVsg6_70@3EJ95zWAjiaHv$f^R48qL=^N;>D% zy1=H#6C!3a?s!r}A=IaQBic3z6StDuzIKCJ)Rf(%BV=iIk+3MG@llp;z6tUaAmJXO znBFYIcVFcNN-kF|Uo#S$S=#0 zXAIeq5&DG6^9zG6bo(CBe(&(-mz9;^Ij$d=Pi&OmyTAX(qyHRXuOEIGpvT(X;PF33 z{Ps$-AfLr5BYlImBORcoMz%xYHu{W+mTK|6_)cbRoCf%X}Aj@-+X*J&~+k z_;P7ksTp~#kYDTvQdMD6YR;(^l2bLIPqqx+)w`+{z3p(txwDv}4Z_t7i334H@ycqc zd`+0MB@*{-Bph;5S-%*z^9HMVB>ptMib#{fM^nrg*@!Zt$OJ30gzb@gDDvBhPo58} zNE?Bgq?%Xc3+35(6=b99zoh8UIE@#JRTN}*W6CxaOjZEHbUgEK{BWEGS3{Oe=RlRF z=y5y-U=3-q5goqKV)m^<1!a%HMr3&%L=^;Cg!L~053gsUyDaZ@#p^MBS4Cwf5V^`xi~?qYF|4(tpf)h$)$;g6H5G}7L1P2sxHNJ9>=M#``yEj z05{YWdoKmvlm_>JBhK2zOHsaFbnE6U)eO!>Hm7DDskr>o0+erO$R>U$2WuS5Oj`nc z>~#L}BVPEl>Buz9uiTX*9ZZgdhnFUqC$JLC-GXD4i@9I;gGeBQr>Y_NxjKpVyf<-%|9SZ_ zKzfAxbR7FB{7S#{zIZ+z>!tHDo%k3S_2`4e~2|I-_%qLA#3bL zaWwQ7%j~Xp3;`PWLx)VuaAGKOedcdC;}$aHEN82PBP*mUnSTX@W8o)P=zs)R!vx?K zsnga<@L`fN%_j8)oKS;S66F2p^-R}7sQMKmf-bA3wOgbG^sCf^Pl@B<1zX~2{{zu2 z9k@Tavl`~w6=jd~cS0|(4}&9M%p>d>G@{_l7;h3_J3{v`dYNXSXoN%-(IZ#T!vF*L zYp_?jA%l}>zzIR+PAIBDe9(a24b~@fM!Rp+=;JU?bvXq148?iL;zcm+;#XRBzLim- zfV5Vhn$Ejzbf&t_{@Q9EPs<+M$wNPsOf;veBAzTs@ZT@b-|C5oAEA}(8g;{0cmPM@ zzegcUQ#4dOrV~@@L~iZKfo1`Z;}Hp^B|ok;B_jbR3 z7opY)^JR+#v_n0w#}SD58qC(L%%j5QmDW10FW5&76M1!!VT&N@YSP7SF}U#|?1YiW z&!K2+aUxQv~CjEvA#?;j1`^Z2%ipKJ0q$#wP;C~Tc$gCuLWZHryDZQHhO+qP|W*|u%l zwryKoRb9HZ_j~TS{PINpfQ-n|DSvh715h_&>Y4ayWz|eyP-}eObB(EOboR&EqKZxY6gWX%HS7K7(Np}{!iMo#OziLN!QxGktR9_ccR6Wz)4vHstUtl#6| zk!9E`m5e*j8N+j)pn8TAB2U++IdWMWpy=}sk&^29gEh~UuIZS)f2E^E8AeHhcUF|$ zXe`WEIjH#kkXXxuy~j$&SRY$lWB3c;g+K?eu6IxoHmP*fizRJ@lIIBlc(5uTKWH9_0tufjIHk~|1-$pTMS*&TV~KQ5^>MmwX4uAR=L9nN z5`_eS)z{7v$IdJH53Acpjd~82wn8>o)1!ZlM;6%A>Ts;DC)}CM<>OAS*4aZ`{DS!& zvFNRlj6-PsUdJQdN5zAixDd`nY($;E1N3j`2vLnJPkFyA$Gk^}iGW&Q46PAx)VVp+ z*50T^>|gfi`cP8#=zV4F48QO*DKJb{d%xh`K4-%$JKngNG(tApuZ-j7*5Ra}Mj$N7 zoWClRGVL8-J*OI{WBfqdZ_E@4K^k|P1bhec{en2)R36k6shZB=jt=QnRuAcuuQ{Be#v|q@jWqp^T_QuoyZ+x@zp<0`?}XS=h1rzAGnK~GS{T+5X!+LZ!7e;e!zdA zPakZ?zqGoC@NU83CBP<8F}W{rMp*>LBNDDU2Huu$N;ps5C`x203XiFWBxt|i>i20> z{dxkjC-{ z`F${MTA>q1ps>)hbOG?^g6?8+i7em_=U8}YrtkiG&PZ=ZpL5b^<`mvd*zl;0m4iN~}d z4_#E6j+Y9K%+k#i4`ZBHV~P6hLmBzs%uk7`zz>xBFQd>gKmp-d1-xL8tA zBbDq-8#kp&EysD+gNhb%zlLinP&KiD6z^sofuFY5QrYy!y@QFI6`tCkCtPzEYJQ`t z>HXA%+pUb3zv5T}+cs{kURf=jo6$1w3cUv=SCaW8D{ln@I%$q3BRVJVJl7yti3yA)e`B`6qj1>`#m*2WXBhk z8?w>GYTmgg6QateEch9=2_+zMu&7N`Q~T4Lw)jpoY5R8G#GAgG!0)FA2aTR-bT3aB zVFzDP!KP0A6Yx6?1ja}SP`9C#s*(=8(uND=&mDR);wYm^7@#x@hSlJoPB@(FjMwXK)PR?=MGPMeVHvXDdJ=0=`($gq@i-U zFwd21E6i`nkdbTaTD@M7-*3v%K9Tf?Bov^MK}o%e??8EMF>iLN1K^+WvaTU&ypyk0 zqCVki76faS-7Z_CJ;#z@QFL3KKre@TTVBilv~n?GbJlA;QR&!TW|Ku(%Jll1g7j;f zZO6G)!)fZG0|Iu2yBY1)UV8~f^2@*X_<7v_4$YGBB~P0P2%n*=mo)!Ap{>U;HKbhn zsoxRf^1{o&@2lO?8H+q+sjx(KLznk2Eh8ibQjv*%USl0J9{-^;BKr z6+$Pl>9xHeVN=l=w>={!ji%{TwoQoL$&P6bgv|u?OUD3=2Wz3al75|V$k=WpncjVZ zyR;#{rScUY+mI>s&{p1`D3p;IbsDqs=bQ;AkqOiw(R>IM_;;U=S_g+KpKs^TMv7!7 zTPk8dCQvh`WxWw(xi)%| zk9N^~yqsJ!st6=(WoUu>Ar~eLqHR&VzS!S{O)_AwtXpOjr$sR7mIxUfU?-fraO;qa zq1)(hFh|^zV;XvZNivFVX<|o6803{Zg3ls(KMAm}Na3VfRW~s^WQ3a1)Lvb>PhGX-m;j{wM2QeNPiSp+{5^a~@_ya5Vk)!})JmfP z_w5PzYKf0=>O-m``A(RMu9I@X){|TDbNq&N+8_iO^bKf)>CD6u!E-a`O zVWFsV*?3vc*rcF3e)EK&w=2*7lbm0N^MTsxrX+Q@9b$T-evwNFhUUYUYcE^M` zCgcXXpt%>^dx|ERWn#sbTnjNxcW!2lBQv3(6kq4X`GXjmj)L`oIvu+lE)=>eP}9qS z>N@%vONA5sOJcwqaO|96#53}*M0;~mFxe1Lmze^p;tB%o{^;7qJ;gj6UqaTcs%6AV z2N{D8TKtSAh(j%5cZALx=1*-{KvdJwqIc-KTitgg)^+F9fI)s^gJ>Ax-tD{~7#Y=U z^?O9tIdRih2+Rv^cBBO$hD{33V43(>OeYM#@xUSq-~tGL>+YS>TKWC~HCbQ#OKe>?@bTj?d5??LNBpgN{}WBddys zu{!aQuv(LGb4=^qn)PDl#;*Ts3jk~U4B`TlF<$a^M2g_!-FU;UZ$79J@(kFSdam7LfBuEuw&XTb;&`@EjfDa zq#mnE$#lvrrs~b>z?T;hE5T;Wtb60vS|B{XG5zI(+UT4TzB0zgd%v;03Bf& z^Ys&&`<&!)Q@kt?HxJ1gB*wc{|8hM}v-*&ctRLLk--ip$vMI!_$OORZ=G#=7ZfI&aV8L+3>#~c zs0cnMn#Jz8t`xot@wuk*Sr~EdPjpuS!xCBhV1)StZJ;3Y5Kgk%9LdX=+9Xvd#$@C# zatoEiP@06qc*ovGQ0t|2L|k7YNj=PsU69UdT*w#(Lx+6g3i#D*74lISGNR}cGJs7s z4`1ISw0tQ&bY{N)YM+42#hFfuO>DPbb=Wn(%Fu6^z^klF7(~gYa%~%c7KK&wj%XVY zWT|=|)3}%QyfH|us9U+vrfMa_GCQtaS6CmA@TfktILX>l8fd`HPS81M;N>?mI%2fv zWfe6_kLWcrAR;GYjt#b@)m$P9%y^~NU~`E(+`)cPg(Dj6_8H#FRA7qQoc&-U>Jn{ESxI>(vMpiyBRnB&lx;SCTBWQH=`=lUde^XQH>>_^E^k)E z*k35L6H#dNgy;DsoqSBL+JAXt1NJzK3YoH$W{Tf!Sf_xbV>YY#?*I+69K z5FdBzb0}^@{h!4h}_XCF9jo`f2!M zQH8Evw?qOZaRbG+G690ubXoe2p~idwD^r!F|8#L2<(G==0|aK=6|9-LH?qUDO-!LJ z=cLyk>4k^lX9L8YmQ5+_H>s48R)>Yx2*d92F+P;*Y8+iytw9$R(4AtiepfZffRsuTzIgf(ssv2x|;%K{*PS2v~rGvJK z;Xgs4+YSk>iCwFDfr(u|KR&rVd9V>rg9_fiwL9BVdPmAdU^2Vp0!&$y2!59#_Zr`q zOaN36&i#hDex!PUGrAb8R4ve;EEg!%8t?}*yO3{F80CA`0HOojzE{0l!3Vx!eWSZ3 zK9p@~I;d37jFwt!(%@1&!YC_8c_i()OYnLbY>uh<&1zF|z5l}%>Ex&=g^1Dalm1vW zpkCOsyI_Q&%+t@b6I2&KVKHW|oXW66>c{Od^hYGRIx+^`6(HFjOZxWyjPLc!fYcE! zU435oPP|W?0okxiG{VZs*{j*cegEv;O?U3~l(#7Ed^+=YNy1SLrWxx%JEb7c-Q~nr;~>Lo+z;ju+89 z1i$lhCmR_w5Xv&l60T~2qr_OTEb9#ms}mKiTfudS^NM)p0Se{RFv!SRV4*o zH&bBHT|dB3n)z~_d0~hg(9!|Ps;77bw0NibHIh6}YNm;$IUPK0smw%uj5emgyufCIqwuf1O^IJ93V8;k9{Rl~_=3Me-U^%19{tdxEC)uhE+IcrDyL5X# ztQsWISBQKbLy9LELP^0n+#(QI-kNZXCYB@dExro&=%dcx2bbmJ^Q4e38YZbn2U<+K zg1eOU)T!nj&mL0FCI@2gSNf0w#iRz4xnlh7WK2ybCjBA41h}*`Cc0jlItB%4i5Z2{v+zE2Fkv*!UT1u`FAbT8fzF?lNP8u4pdgZUNX?w zg#R$>9zWy0+3cE(AoKgPwpagri<-JrD~Xp7C{l4QnTiMAXCgRvw2GNr5jafv@-i`?Njk;eU7haU$Z2p6?>|Et)<;@ zezDK#V#hKtNf1>c0VehPJaFJr$vUvdA%xck2f6o@(1STYLQNCu^#`}%I8H#d7j}S6 zW+zeIYg&aZ$pwR@svvo$WEUXdH#bb|!>f8>-=h?2i4Ekb;eAL(EjcyZyRYw81$-XW zbe^~Cw&*~OCQYP!i)HK!t@H~E3!O*ArE+|%8f$w$MOPpeW%zlCV7|>VD*J;evcvmZ z{XGkqf)ud&Zby`SWp=@csKMaJ$G>RVTk#`GNp`=*NXgdm19i((wEfuol1#iD9o%Mc zNsi?u&Bu9`h(O2MBwEtkra7q!aFYh%FYU;Dn)pH9_B4{q8k#`^e0zdEXfqor61*J7 zD!#%7WMut9P-5A&rwy@XE!{VeJb}1vA+0}9cKD|BXOi9iu_$o1R>ZBK`Ls`}QZ+-C0AcQp+O-qXMbJSeZ=X=wzbQ`Py898c_?i@)2FW3e zmbrL&@`(j}_~@F9OZbLH^Gj+*^GP>d*q4-jt00f-XNa>;bU#rWn`oK)sic%e(j(PQ zb4q%}>;KY*P8_T_ZAaA%t}P15dgMc@&N(FU1yx-S%${TqL%S(A9+1;D3TPVn+?WK$ zO}Z`RK>1u&O}qNMvM+7Fu`gZAyB%xfR#F>7l{qH=;AV|W|Keut6aN=(2Bi*C#T0Kc zZ#jhO;*B0lI+sRgfNqxW_WG4o;}6GZj;XDHs&Ez9YZPI}^Zxt8W|KNiI%88etQHl3 zeK@s%>jHef`Bw?}q%MuV1-ln=9`%(wgOT zd=%A5Yj}gDCjY>G9{%0f^VC``AXddC>92}6kAcfyBLx}}-jyPuTT@jY5nfhjq}**4 zC5oB}MD&%WriPYxNx4;!^!5>9-cXH%XABHTfR=X8sObV5R#|+Dfu~4kR5v;KkP4Yc z*6l!^MkfC}SB$KBbC)}9H^E;ce{

@BhEVjE?lfjO%W8o-3H^l(?jmjIBzSAf1EW0=P+tq1p+Mu;M&^l8R7?Bgs zZV{DH~sj63m-O-V3DnfCZE*Tc! z7Sy?I0qS8YP^#Xejklvdq8ECfvVq!Y@zVLITQtD)#EcqXD;zUAV+gR2V+2n6&{zUI zAw{mtDGCW4`0GliSYVg_e!UhTMF^}jhTixt)JhLsjqEN3DHosG3D(hs_b??~$}Zv@ zCW5)xYexmKHiaUYU2DXEUSyc5B&N-zNaMtQXeMb#`6L{%AI;Yp^r=E`Zq1#H0{@T6 z6=PjK@}GlVTdVAto#bd8O74T+9X)U#A6uHR-4Q#vnAjHEr3tD+6qor+6d7NtME#W? zGSV=qqU`(+gmFZh9|bn61*kEQ=#ye-ns;9Ota~C{+K34jZShJ<7U6;t|2Pdv;B?v1 z1bK~Gy(3NCM1Z2%xq>SFKt3MjNHg4U6{|n&9)O~BSRJ=d-sKZuIz~~@1RDA~4U(R* zPCjJBalKfWWqWukV0NbC@04G8%@D=y`=j4&(1;xYeJI28){BX8v8N{ef*}2ieYunQ zV{EBwIvfO5*4~L=fI2k|DvFZP&UJ9i9GV8zB8xDoA(j^+4DjvpBt z3M#8O#7!{qrkOu92O?&kuB2yYo~Toghq}D1JXwbswWqW7|e*%T|ma|}cxWDV` z{jiWgKC6(A$Mb+~h!!EX;4tz7Iz&lH87(rSR*+-M zYbORbygS^p*1y0eT72KirlH|LQkN;k!4m$gSc(E$jKNb8xfTrr^mvDJ>v_p#a);G{)s9G+>-V zLEMgIJ9IOKcze|yg#q*H2Q;T%zU|Xv-m?-VD^cpycf+mMnGVfFXuwUvjhE|1Ecinp)vZVi#G}KqGV|N**0e72PLQDp+XGa zS*s?o!T>Z^BY_RUaC)$&-Vs;hZ$@(68NpT81lUuY-FVh0-g8Q^wh4skMb~5^%uLKJ ziy?&4J~55$6Freq81+ZFahJm=*5eKmaC3n_TWqrXQinY>7`GilM`?DW-Y<0^quy97 zyEKnBQ*Km4d+v6Xrb>SfDKj*Z@Hlnhs9u7#gT2#F`*$Dp1SbmGp0>+I8* z((T8Dg(QxB=(>Zfn(q?WX^BNnOx&ob`f<~AG_dMGRTr-P98;TZ3g>@RVoD0Q;y-&mJ;pyejrB zL^m`gFnfI(QW{5J0hPIekr`5 z@EjaTEc^25RPCe+Lt82f&W*6kG~xI@&mn<%l!60yw#YYBb*GE0|Qs4V`$q z1pc!SskvU8xBz_~nW>20C)i4zo-M2%%;S%Q*gTSh+H(INa8o|PV@-j9yDDQk^a}B< zc$0X{8$+*Tjbw-Dh+u61Ue4t_a2Roh#ahLY%;wuUXOLYNaw5o`EL@)pBMXn;C-`_? zn^s(1`f>Sj*daJ$pdG86{pufLa~Svc@9skUllj#KL=*-pqo^y?sL57p=)=w3Axs0; z-ffU8HeAu2b~+swu;@Dxg&d#4eAb+ERT##J^}VD=+kx7fA5t?p8tETW6Onk!I2}Yh zdd?{um9lj?);93RNn5ww>IHU$JPh{LY~deAdwg2B6kp~HFlEma@Bv+-I{_)cW26c_ z{fao1mnlfr8zQDAB$Ucc$ZP&exFk{8!SXj2xc2S+PHO{k@q>^j8-S$bD6{xsT(}Ep zVG*ykXB>sQ155!Wc#;MH5N01@2YAHvVhz1?j=Pk4Yb?eu5KTlemT>mLaG1CHXFC8% zDp6=^F^@&AVu+19Vk;rrC?57eCcde_$$x;&5(d6s{yZvM6*F-Yh16&gP}pyH7B+lZl_7{U>7L+97|A!DaTQkrqXIkHMTyztOp{}b1AS$u)&{FBq#OgS~tMaB1k)R&Jw zHFF>KYC1?JV_YV|ZH1Btx%h>EX-Df|D~5&7zyAdI53%_KNTc-(!2*=E53N=N9X2dZ zT81wXd3@y{kjxqr1+F-EiD-7`Pywj5?4Nj_9W_g`u+o`ZD!|1ugc6!Zo)yvi5MkYc zYfDEz(vV=}zHMSkk8HM(0{M^}o2%d?VBX-Wo?dY7SK?rdIIJ#>_$xap7_!wcSs2^w z#px)TRo32Qq>l?t8=Epg-d-fTL4QwCnBF1>L>98ed|(C`R@mxDfmSU(&Rp^5Jz6(^ z7s#Fgfq?AH9>w2()rAhm5NQf#-PE-0w}=u(W=K;(P>B;W6jw&bx4`sD{=CvI4^6w( zsl96tz(@{&UND}2vCY~Rm_8aVz|W@Qz~67swXbRbW9t{T=5Q>LhBVa8X2#IgQA2}` z4tEn-54xWnn)6Reh-wa)vmh~pi2?if42+q$CT9Qjs>-x>BYq4%OU08wk*f-g0UG{8 zyCn@Oua6A37RBv5fv1D<9BffZ6s$7)HAZ)er-zZuDKlnH$irpmM?cExo|o_e61;)D zLW&+7hr4J(KCk<$^~JDQHlE0`V5Xc?0#llk5&fFIrRMecSc)x%a-($%F;W)WU*2%o z)V>U|fxDmSGCEO^4ijMnls&pM(5IHVFYIcME$zEvJq3PhPC{rcIAtPG>>gYl3fQ(h z(kc`%71SMYfOOnbI+&7d`fx~$s;(^=d!Q#4R zKnTiqv)MasWN^!oK11%PPD0%h8>V|!4aI&5eSt#%GD{P!DB4|+*<<8$Ei$c+b*$1R zvBY|uQ~;gX#$d54rpY&Co#v1khLk{b@0Ht|RAng5GlB293YDSN7G4+kL9HU&EYeSu ztr}J%Lx-4J(!!gWkhKukLpNRtv%sfe-F-cp3yqvox7mAoOm}R7mCqxH;3BqY8UDH_ zFdNu8|06%m=`RZ`V6OoqPWlkXb4EQJ4!Szz}oNY&EHmtKoCeD3hd!R7Nh8VH6hVw=X|Oc;zJ9e zJ8xR_N4XUWNDr|krI<-8XIycM#NhY?tm<>?wq?BS^nIrpta-B|YnIF(Q$p9T_hI!v zg{km;WK|9Xh?@C^2ly0bnfy(C*{wvc!=cgTMeaI|ersS1#0%B=d@KE$wd)xxg+8c% z0KqzJ#~7?t%oP$(Gu!Jhik$nvdcWiL`vd*$b@%D^{@3q37i^dB`($t3Z8nGd?d!bp zGsy0z6vpe%(>UAC*PoPZzP`tXp~oH#kVTHHlo3~*+uL)c0TklHkp1~}hu>y7G{6q6 zdU>R%a8kl-KF*)1$cJ-#DSBWCdsRgKMqTVk?&s(b90>hjP<%$@ss}Q&Ou|sg0eWO& zUqCer8RK5RVH#iU?63Atz9%F1GReoe7j+}8D8GY64CV~c5R+~}DKYW|1zsu9n++P* zC7$Fa(0tXiSzE9nd(lAD_+`SBScljrNwJ?#a}QnW^&#Nf!RfmKts*hj{$s%wAG+PX ziiQ30VB?8nYkQq9B7h1qs9SJWOi_g69{5)ZXaJK)ru$d%8l=^s~QWB-mNjbTBJYJr}m< z`19O%GtHM|IiAH=^x(Xi!eO5 z4(_-i;urf7UzgbgVG?BgE52S?kF*TqY>voN{JTiH&ZgmQ9 z*)(~poygZC43dRd^t7~z88J{Jbq1@Dq`PiP328*~{s>@~m3mexC_~fBh6|Dk}F5@Jd!dL zJWzO^ejMy(Vdy!jui)z_Yo)M+3H@s8^UTXoZW*HT-st?jiybXI#`~D<`PKXgA)JS#lv> zEqBg;{lZ^9nu`y^+%-S>VE^R$d_P%?e;-nOdkyzN3wZ6-1__h$Y+hf`$X{%qN~DT;PKIEcETpW5tq(PXs_pX{L0 zw8mpEK0y(fNTC!cTH7JzE3(~AILG8G7yxN<1V!X-|K(Ma{{%{6j_{r$p}ZSw_DfxW znRv3Ec%9F%YgyaU%4?iI>Jk&ivllG<2KM`YKm5DCQmNRH>>tq!fKjKCzER)A#1W`z zWMIgh>pGW`v@NZY?i6sUNN=ZtSN;G$`hkZNZ3T4j>IndNocrgfRZEOXLY0R(1Fhwq z1#-@+p*cIhq)KUB%Ri`2*F^A;3WxQ%vGp{+k+cJuT zZqSrH&Co4;q;N%yikih7+nhaOxaI+0$7H?pE^y@bt|!Sa)6bKhQI>%q6po^KF`%i)Jy@GZ>APQ_pzo8sjk z2f#YKCN?}w(>afz4Qvq136>=}zix;oy*<&e?Ul_;hCM(_A{0&Wzo0IZV@)di$zEP} zgSL%t| z3?0B^4b6dRD&#TR zQ62(wVJf}{7?rE%TPCtZlFDOs9HA1l)M!7X>Kg`d>BpsTWDkcK!9VN2=W}a7Vibgq z9I@IZE7H<#xa zqX?Uj%I)Vap*03+%;2ZUQzZrS^rvjD6wT=05EYneZX2Kz5AH%kBEORchI#(oNgrO{_Aaj`T0R!Z$(C$Y zJSZTC5~U(YmR#ODwcy|#M0IC3+UgKk4$8tDW6Es| zR-87eLf&>8e`3`v_P3A64rS`APy(;PcR|&g7xs|_2F;oS8I3p+t-onurx?B3?m#ih zmTb7JA%;0SY=CEFL$VWWom_q`S7N%**1ZN4!I%yKOM^$atxT6jDiZOBL^rtwg0JN|M?T+FLF)yL+yjj@Q{d|b6D0J91^mB+xr@*S= zqn=71;@f#=yxWtk_PHC9F^($aA2Yh{EE3<(5On5T!*4$;CwtN9w7F=Ov-EU!{G7v0 zukfpzKY4 zZ-6rY#QiFDl}JhF;&!jI@XlwDkes1RfZn%3kHkP#J%!Gj$TVjs+e7V^QGEYb*5{i8 z6qC4sX<2=@_MJ4RuV9!5m4`toUX@9eaDltEy!1i(7Msj^!U|V@GnLVSKrlY5PiEA} zV_;7uN#(dsVvlb(5Of+it`TMFzo#Y@1^V^SpP=E08Gcj$7`g-FoOy+KVW}(?WPcV_ z=kr`{PFlK6Av$3R1GSsb^wCoX%3%b&Wx)?)yre2MB%0!b+6T#K{HU$1ZDf0YEiUT> zJX+=?*}o+fpW9?j{plJkWXg$(E_DM=Sk&2>GlVd0866=xll9*WZZ4;B68BnIFIx<@ zFi)1&@?Ly2bJM+eGxAMdWgq%^@bLJxcy+Bl+3Oj3o`iMeK5nd!h2Z+C=7(*&p^upl zl+g4DiQrTnwTQHO`_R8LoYtjKi-Q=`M+uyH?DUl+;zo5$8|F6R2LjK&^~E2!-L0&C zMENnF{&BXjnGTtgB|0> zl&0Xw%G>)fWsCLTyxCfxkFoKDzR%IHvrK@gl6^vg<6^47ktLZ6T)5_NJ3#`d! z4Pj)?6ndPKGVC*4i!>J*NstcRpAlAdbZk5`Dn)2@1sSVG5HW@BpHN*k@=GkXtsw4u zbjbvno^OXS7k)}0JfT`iBt-WKuq4(yRyeiY8Sb_mk-f8YL6Pf$}+#8RE0Q4)AGM_fm3ix<{!v z?O1+*iD^MTeE66=I9F$1gB_IfYIf_G* zt6VkC$ai3nqI7PyyfH7prr-2ZtH*`Np7NTg{XA+jprmW8r2>E=fybbrlm9M87^K~W7#2(i;&)QLlynj#>ff`w~z%q#X-dvOEe^pQFi4_R1JAP|aF zpsI9c+Ye&}L9dQPHc+k{Av`w>!w-haSFWn7vGMTm>S|`@=AWbIoxlK}?hy1ACD%+JSt25DBv zvC2(7slfx|$TfR|?LucF)l`}0mUFX&>?IQ=8@-T84^8)$+((ApZlOpIi?myv&g=ZY zX>H6Xx%r=Bbx53I*rH6AJ+w}y?`?X@C(>2?(81NZ5bA6t^A|d-8w-c@i96#4q+#jM z{H7PY$y{!$rRJ2pC8gfxtUuGy)2KFuceNqlmoWR@q^D6@4Tn){od(0ysx=ZS*YV#v z4F_^bRqEf>RBHEle$ew%j0e^?<{4Au)ir6KW3ljSOt*4VmRa93VUi}&DK9&@Q-`k^ zzTL;)DSDG!*>B;qps$b?amh7lr*u4o)$y!4vXf6f2N0g$ufX6F%-Yl5cJlY%z=-gM zjR9I(3b`ZY4!T<|j zZ_(pQIrr+n75PC8utrj^Ht>GxZOxfAKO5m@AI)a}XIU;#-HoIWw-BO zyH|YceqWz2yYBB;-ixmq2Kb4mKEOo|uzhyctIuCKyv3Dh!T>S!+?-sp_uv*^bz}W| z1`+N6QQ~7zsi9ehT||y!$!F*2E+4{AcxNX;zcF!pWxp0fDr;GOs>-lT?|1jG2Son< zR6MdVjNUO_H?u!K$U)bM1}TEc#@`N4W6SLGc9V8m7%qiQo01_E46$=m$zo~2q7_j1 zQ{|NmQeYLpsVyddKhEBFh!=x|b8BqhO~i_hp~|WXupc(YyDxRFJL}jm(2Pu^7-@Vt{ZTrhLtNTQXI`KGe zc~Wlv+3+aaST|fCG_6!F1P}_$_h}Ru5)NQE5wDK^*i~)n9%rYaQ~CAdohh|pyV%-| zV$(}@J!Ul(vAI&6V8Q6FQ{z-_gB0h~ygl*SPkmy#Un!0h;_LnRO^XNToM>(D>@TSG zFv^Hc%#dF!KfXA^EKdn~z9QLgvp^Gk$#LToNg8DdD@j=a_ZQkA`oY5Io1bR4im-g+ zl|;^N(Msv1BYl0_?Hl-zO{5*G_p&*1IN@LsilXhSP3yu!C!aOLVw_5jeHyQ}k-kR}XJ~Ts7sRe_3 z6A@WznsNohsyBC9E>+zd?cdZjih-Cog+%Ud7x(8L%zU(XztIuTlO|RBZUGv@{7=>3 zLY)x{6VbDW+S-TKNFVoyFO&Yj<}2)PP`JqAETUFhQ1_PdfynH+*)Ac&i^Q1175D+Vuks*1^G;81#o41 zMKk)k`dFxsbZ^t_Hpy72i`ZQvq^+z@vKnhoDbi`BFnWh02rIT|2CU3H%|Txf!00?S zYKAPnaQS@u_;oyeOU2jQAmP=)e%Ida$0mGz@4YFVem5tMo_}Y5^%i`mruwdC_`T`K zocdLKCt1B8&!X`3W_T8c_TI&7x7L1kIaT*)N7u~0AhP$U{}$_^TB6%yxTeY>z}O(B z$9WhBcVCG4XB|(Z!;k0C{!C15-Fr532E#NlSOn^xMhkh500Wg)-LRBeXR4?AgR9-8Ys8gMWx|R!ZgN1Mc*hj#h zddpzJ1hlUxu#r>J2<%E`E=iW+feg^P-Db=5f3*kR z&kFPzG8BgyNX%fe-OtS5c?8TFJ5eJn1h(xJj_XG;=1#gZ<=!MPq7)~ANs7_ccVQG;F4sxwcnMFo3=xAwEdByh%Jo9$ zdvkjHNDmatB@LFmvaS`s+5r|l*m9kCV|Z_855`(A6dkb@A5;8#PD0pIWfu>aX>Qg> z7R$diik-eJePHA}zfRBHcKP_o-~Dj8{Z5|vI^CI7#tSh?<_ z*TI+~u?ymt=vy!W3vxM1_&dPVG_RCy(Mvb4nrv^L|}zgY3_yB z5!bRg=(X~l+2khoa0DiqVdQ(KOlr|~{L!#54#B`gs$c!TRnanbvd$WsJtd5uQ&*&n zlohLvKr1Li`#IZ)vZNbo^@V8b(F^b`z!TeNOxx3JIF=16!w`hm#Kl8Rxib`eZ3eqGLQM1?@u_IH5B~m? zLNJvE8IE@$yIJl@#KfwInm|xomQ%r_JJHj$sZqDH0w`l1xn9ArG04);lQS_9J#tze3;4txT>Xe3 zhXl4EAURxm-%l;Xmtp$$atr}Ku-{pn1%@oN2utZJR!v&JBMXyVOMwKF1@hp;l6ujv zYmvo`gZSf7LcMMiMCZq-L)Pad8O0(vlrgRh%u*0GEvWnpwO=NtD-?`I(4UmgdrAlH z>d3VJrJC5U0>MWGh84r1rT6>G)lYaaxCc&;e1pOKKw%2;AKS#(S*rO8uDyoCM13n| z7OQ{nFRx@QM)rtbUX;_;`~T=BP_V(CZ0mT_FH13Ld0jCI-WG9tmd5LoJQy@|GMAXD z37ED?j#p9*7Eo2I2(;G|uQFfG{?e6?a!ia;^1>$D?RX?|4pFmqLQIiZorI`GI+`(i|1q_ZIN+u4**TiC4$g zhKflwA}37ftBACy=~kc!A4!eUMw+@(#B3OkBb0C1I~U6LP1MH5+F}+x**oa+Ow`)P z8f;TkCK#L!mn&2ku@LMjZdws6op1vOOEq&hY2?Zvcq)Vm2^Q?tw~34p6Qq6jRGwwu ze^$5=$QbnzS9yx!7)@=p5)iVvsb8qBTfjP0WJzCWDs7z6Sh%)wL@5{|!rIB8q5aAy zB$GF4G7LS?z2JnY)o!ePoEf`QS~Rj>Z{ucroXzQ{t~SssMFQi2tA{%qhFxTw5i0aE!%u-Y&j{7&y#+8WNA5kkkOuDJGc2Yp0dfF zXD#O2=c34pR@{~Ghp&NNoX$c&dLbL{Abi$hN<-`qT*W(6PD}B53)7dsr)Me3IXC@4 zw3IG6O4g_zj7wddyhw8`r>(C?KO8&h{Vg8Wqb0533r%f&{!yY{Of_Oed+$pXX6?Ynl9 z5=(ct}wH8@#$+^+py zB#Y(F_<3KPJvMB>2A`1lqgP8be&ZKbx*7 z!|D#e(wKbMzY87vzF4m|1o!4AJK-gy+@Y5cxBce*rsIt~&9#~0Ol&mAb;ch1=n1Wd z!VJr=(Gwi1ir1<_-$xo17uwkc5yzk%b4+-INEgBp}1BZ#F%BYnq5_5NGTEbdeF9rjJpg)y~| zOCD2LEUbND`W$ytgjyPc_KOfunrNVbOF_$~XS+0kB%0R==I_mb9hdlA#{Nhl!=fH&s+t_{%mueZ%&*bl z(9KPv{!$>K(?jYJy?GI>Z&+&-j8w0%+3rY24tW zjQy9s(pL65u0a+bBqQJ;v;hKe5IXAOts%mkkV3-G!;5gN2YBBu-|KY|6{tKuu(r6) z;UqEtVKrFT+A?LlkydVPjK|mdvVo|8{!CplqOIhr!Ne<7UK$D@mZUw=V`O+gg*t3} z!G2W_X4tI$p(aIM&$_ZVQvQ8ngqytgn{yO=CNjj1%GM{M-2a^){wf*3YSgipOLBT znPKF0VAg+aP6RSdVErsxLW__iGrw?_x8-h6KDUF=W@-Z*Yh22VtzMP)X(P5z6DN0} z0oQt`a0A;I51x>kS+^~%rL?9|n5VN}0g@-TG(bnYNNQ)bze4s%@bSWOA=2zaXr$Cy zR8bIungYv2cJLRXSGgfntlKTb1ab>2K24YSwwOenO#)U(PNc#5`m25c%wh+o3~2(F z)CSS|{aBrN3mgC#y@nuU-iOm!A3xG?5kGv^4<2BeO3-Qakdeu^!!;71TTng_2#A`N z@(&FZFhAbWe%+ril6_5)29^DC#5W+nNmnlu6Wh7Fi48d2S^8pE?W!P|i+mN33EOuF z(^LylLdIliTci>UPn&u0)cUd&%!TlssRt|hJCnb{6+O2XMk_>y?OTj`krxx->4w*4 zFV(N3VP;1L7VTDGn2 z{TmIiUkAOG{jqZV)?Ig^*w7w9t)CITwtc*%X|+C0)~=1@;F9J6Xz%A}U2y?ct0S8q zuU}igEy#5WHc!itD&@}fNJVwkrlY}-CAlmrk1tWkbU5_M*2Xxzso*9E3UPxBJWfPRro%SvD~HwWO&wjesmUZqLE_L~D;=kbc!P`|?{K0yC?fDs#8ot|_DRtl1Ob;-HDu4YA_ zV?G|SOcbML6ttFTyWnZI@UOctdnt9Ie6QlR<{pIo zpH~S`Lkq{F6m6)^F8Ae}uM}g%8`R2;tV9CgA?*hZx+%Z5Fu9=PuI9S7S+3}atU=-3 z>$kbn4%cy`bH8aRKSRAP!9acfP}nD1oKEsMIc9NdIs9p3ZB={|u9VBPpBZ0|u6}b@ zePlBNxW}gbbB~R-OH|w7Q-VzMJTMq1CnyBV!V#@hKW1K-YCm}9&+HEM1itzQ_=67T zp1g24CuHenKk^rXsq*0k8-=w6Zu94#hEJghYRoyF-fIpoF7$o5XuN~U@U6?Vh~&E3 zNIi*@b|HB+D0Aj7_;8?tV8s%kkhxh5ltTFGQSToWQDf59x!Y&s}U8|kSo*>&a@%!^ZNPc_*~6*kQIRA5#R z#H?6*(cFmm^Wa{6(9BF;<~uDYSZ~)P8ffI%_Ys9#^-r>#{1~!2R$IrrZLL(_9WoE` z29+xJGh7OzEHY^(EZ{#XUog`aN5nb^tE?|Il+p-b={Gp+a-h-iL{{vfvyt=>R%zW+ zIi`J6lUPekxI0Oc+?6>F?gWKsvWbmB=dhtjg#6x7RIKW1K2x-qnaq0*HCH0HJNE)S zb^C3s6L3lQzR$#Rr&H$=<`HFO6Q{_S+XML>A61**}LKe1UjG>VIe--p0!-RS9M)YX0Q*c-aWNKdN0A)erZ=*lPe;u-6${WchVH*Cocrvp!K@y53@+zM4WR zgQntb$oV=^7D40z?iSn?$?Q7X;bx1f(u<00u-F^bPg8X#)3hhuyp#53TMx2UHG(>1jhOlM3q+*)Z94s`yd4x}%@mepcA&(0^9g?%|kwFN$Yx&EA)Y zD9|tao2S*3eZH}=;g(K6niN|tl~;@>TBMq{ho@2sc{SOSdxxdt6!2+4C3Ow1|NFFw zLC6g&mhcXIV-AB*%=ZM4Ms=91c$&yMM-N{$p&MLjmLd4&c=)+#y)S1{1EVmq(_0v}GurfWb=Fj&b>m&CmekX9iLdv_ ziW@^{08=jLxcx%YV?$`kIjMsbZOsU`o?Tz@Vrm!u`%^G#uuv#rS7hqrKkC{`mY!kh zSYTbdh)_<4n36~NHb=@ta}h5*T>2%drDVR&5No!VRDZhNXLTu8Nyl|&;v)U{U6LM| zLo`SNLj68gFDX(xov8Z7PGSiA4rU9qal(C|8nk;Em(mSVD~A#~^jJD?TEG8=RIkBS zbKHl~LyN3zSK#+4f2G3J`b~r607AOMv+eY>?46lX`y>ZkW~h&vMielly?)PySG>Lx zgK*?7?oL;H8ro8VU+jUwJ-4AI5JYaaX?E2DFU<=_B{*vIedJg%$1BZo#~ZtGe;jx+ zsa}Uz0BP6__~Iqd^H?wwgclG~xmD^_t;xj;{OVxH`lK;LiIl)4J9~ykK*4OeZg;*Z zX!irB7SL9?+s_pN%xH^79)OpBeZFyIDEBtcw>$Ud#}%rlYuaDStFcF^bW}Ujd!<#A z;wc+!8HE$VO0BTG@@eqDTOg5nQa2h9oA0o$?|^%1`uO(#fTL*L6em&m>L!UFqikb7 zc7r{})%*C4K6lhW(ac@Zp@@~wotOry2YE2KV7&iIVujKG=1Hh+2RW?l;+B>@;_&9> zIe+yfc8nyi9io&k#uWe5LLf5*QWW}=aIb@4_YeN1VP_Ls1Y;)cdIVnh{F4XPa>M|l zSCw*bnb!)HLx>z6e3ux}gBXhr?cz_4#haaIRV*K)>Ct+J@jfZ5K47Mm-VCF~ey@jO z7->)2M)$UEk@0rT;3v~dddpP7Jvq8^O1s!f@#TcY^1D%{3R%vlyj1I)jsB*s@SDU6 z#LylOJ4-gv^_6v97~=JqN_%=4QZ?f(X-Q-A1w)!V16H}cn2Lb(irj0KFDx@AauY6W zt@p--=@uy!ne0=CW{>kLvK>P-$NJd z4JB{M(NbBdms9Q%Az90DO(;#I zc?;MN6c;@$Otu$}SZz%S&Rl2rF%1USBLa)UuTexw*NUg_Ew*N z7&$vIIKUJ%H!OrOy`b!hB)Y*$?E;qJR-#14`4cc4yybU2R1FT=`%wq*Ou z&?}z3DE~M%@x>_yLp9jMT!&DdFconPhq&W_WzpkFru7{23Z6!g0#jSwzK{$WM3V>m z830y76xzaUyHlHwB#KQ#HYM~vfEtUt<6|BNQe6-@xF5WP$-VQVkSEVC_(X%~=;g(m ze-6s^35KQOnK`oLP`$X5|izC#Jb|RCXix}fdaM-@~xG=&gkS0 z!Qq$|Pt$Pde{TWvB=NY>q${ZSaiTgFQ%ghTrdtSi=X!r+=*J7OsUqP-F*cXue^3Ecb9tW(c>YJ+lq=N7Wf)>krMxhkNQ^^k;Si@Bte z4`PO+1Ak3(cJaXVCU5eOz~5Y(w!+_CE>aE=jan;PvIm=d533QgC7ehG=4;--tbB0< zK;*i;b3fBci&DJA?8FCoTV#Y+=pd=w9H^j3%)l>M#%BbgfC({52ZBVbe>g=xc4ncL z8gaT=^J$-zgb$29yr9hF1bcX)8n_|?gPu|rk!lXoV( z%*jav{l^SOxp`a(E94LS1$%+h#y@IU#O469+h54n^HTS~d8lDAZ3k(>xh7Bdzu?m5K6CBP~I-4fR;ciD20i9S-p ze;aMNPRrx}? zr)F9p9j0h^#-Cpk4n%3qBkUvyxC*{Z>Hh4XHn-(Ir2B+}_V5am_lY~}xa=5JGLO$I zyQUkdrB?9Kg0@3vV|1fY_MW|-U;}LB7VBH95k;I^^A?PUOD88PP91DbZJfGeGy5o= zSic42*ZYSy7yKC5Tq_f>v_+asn zza8aEpby`6Kbx?yOv^*V2+UfRegc+vU<``?YlgtQ1DqzwN=H&Z1$BV~n=`hCN{>Rp z0}oIR1-5rf*Y58ItcM6cL{J4kCfbR9qcGS~Rs6PSD<7F&m*E^tH^G30Rm3JRIy=EB zoDD|4DuOYWVRC<3-XS!yTefQ@ZpbS0ZB+~*q;$i)oODIb6xh@myKvXi-C zI)=Rn@z9KmPiTC7r&>nQF_PTd?n&I3pFzmLeut(cDtwxh!192m3Uf+IqxRG_n#u9{7#O3$Ay#$)_DiUIYtydDh(~kONxgbc! z3<$yH^eHjH>2c4L9=KRSwvi+Y;u8F&t;zYmr|tq^ z);N!x2%ewp&>PBb8;z!=+51L=2!Fv1qxV3#foQsnWbhZG6j_(>2i(w}Z@>Q&Zjb=N4OM@K8*U>118%^R zB%1sQH+(JlAHoe`@>IXz2C{#E8%ln{4Uxxx1vgxJ{5!b8;}5ujdv0O$#2}t_f@1$a z;0CJeKj8+a;zq&0h8t4wD3&pAVt{Z1=`XmU<`>*h`WJA+;`sjnZkTfT3%EhDLDlT< zaKj_f2O0do!wqr&0XN_R;RcTryrjOr!wn7cf4~i|CqLl^m2V}yT!8#Mla z8`6Kl4Ttq2jMdO6VLf=Va}_7~eM?CTo)v$C8%X~JZYci+H|zr8hOZm^?hpS6H@y1= zH(Xx-9d6JW|B;4a9=V|L3vTH2iK>`VY5o&#K>GzZkp6-jnt#F#n7`l#=f8p*F#doW z4u8T8A&o$|Vc>6Y!|E7LHNl^7!zK`J==upa^a5ngae9YMx_`nA*W^FphM;Z}s6XI_ zw-;_wKj8-Q|9~5$xBdlgFc^abnEoT&0QE0$!}Hr?h}6G?8y-=Ca0Am{zzshC32soY z@NxYc+#ogkH@HFW54fRbrbyd5M)YrRLjuFz$3Nf(jX&T9#kHICu3vCN)nCF5)Ihia zBU-$7=)Z;=rp|xC4UYu>1UJ;p{{!5>a`#to!}j0c1{&sHa0B;GxWVLq1UHmp|AZS@ zjDc_iHtWB@4U^3O4sO8uzl9sd|9iM$=lTBtZlL}rxIu;GPq;zt-@*;mbAP}MSlNHV z4XT!Z4L5-O6WmZS`U`G2nP}+&!VP`@pM@K&;Qrr&8{}H*bN_z;H~9V~+%TW~zYaHi z{2Sa*^b>BV{J()4#!UWuxS<;FAK(W41}eS(IozO<`hN&FSQ-2y+`#bP!3{U>fpEjw zZ@A$%-0&N2_zgGwh8upv4Zq=r-*CfkxZyY4@EdOU4LAIT8-BwLzu|`8aKmr7;Wymy z8*cawH~fYhe!~sF;fCLE!*96ZH{9?WZukv1{DvET!wtXThW|adVb$m<@y@Pdb$rO3 z%42%!1c`$_^^&51w+W`QtM;Fl3A4{~{O*ha89`{K)c1RMnwK|JWUXO_=sIYMc?#`~6TOSR_gh*nrOZNu*(NOVlbpUS% zNjQZ_7lk2UE?~anFit|u@`^JAP@M#Q%wbN{K#krxEP*8It5!-B0!6i)AV=#7(Rk+M z^6*!E-4#2R!$`=ssD?xWZrSEDy{UumAH4(n5G}7oNm@ZGC-SAPJS>2SUOqL30 zH&{a5B}()EvKwf6kU?qEs|obmo)c{i68PL870&o3ycHC}3Q9Ck7%zOf7DKpY zOAIPbStQ588}n0TKy2|>Oi@!71}-BA)(7jenMSc_5^DOyk+`ckGK#h!Iy4+l-f=0XsQ#7LQ|4g zq}ExnxFSzSs8RaBbc(NJ3<}d}3cYt^T&bI=`9=Sr99T#zU8Fi^7rhszX=u~v0oM{+ zBmWGym>%DRVK-%hV(QMdPMG6`9&!~ah6-JK(B78%Lv^H*o2mrIS#E`%?cfq=cJKUP zKLvYxu6ZBZXqIOY*Fj6LI$y4x9lNBA+Lr)a{Jh)SkT0o+j4fK!fh|}n+@siq^^t4* zI1l0Qs5cA0>P=Y@Gx>z4Cd$+G!vcPqmA{xUFH^sJpaMV<=2Z=(6kZLg1q3`Kq z*e<*GG@Dg1>W7SRoy8?lpf>Vy%*;_vy05U(NzA6*we-lX_*w!BVYt=_d9}r3V^e7+ zCS%2&MOOri_Styu4G0JyA+@mw8iB1p=B;EL)~DSs2{YeKKt3@P%dkUhXyLs37~MPx zBKZJYLz{y_fbCliW;W|Wv6gJXn_z3C6vV~49X69a9hn=KgB^jIE+1-2kZzILB*Gdk z$2${c5fVN5b<#AT!t~YMJ}J5gGOD~B9h1rJ6P8oTkqLHivbapRNh&fzL0Ghy8?QK$5l$NYaWlK5N7lXcfGM z3EA_!XD#Ec!%FTSHu%^Ed^NT5R_L$N=~r5;!0GcFMDq9^6l;4)t8=Iy5OxWsB-1b= zR=u%!>e={!q<1_L^40E};m1P6r=2ARf6(F^MQ1U7+_$?!7%GRBpkuwb1zgKXbR+Iw z01vC-vaAGaZ;8Xc$fADOS!G;pF5&Ai3rMO6N1#n$y{Dl+KTdI!g^;S(n# zgt&apd&tq8V?99V^Xt9{``-b1)vOljTQPenK1h771Cg`E{a0mAe=A>N6k*cR%AN#9Tgxw)z`R$=Fol~t_X zU&0^Q7nLAoK&BWLP`wLGaZwMk?^I8&J#0h>OnbnE2N}+T5)yI5@e7bNV>3JCOC1`C zM}SV_irnhh9iS|QQdFQ8A#o3vQQvt( zQWt-EabBMYH%Yh6l$sxS!=UTY9K}`&L{c@r@g7Ada=d$X&sPN%}y#SK54MZOQBbL zY^1oHd?~Z<7Uq(iWf_FfJ}7cN0|=4jTu=}*5fpz=6Q+e1MRlMS+QIV`ew_hTqIoK+ zE@~1VRBh~`gci;E_)fzb2HCe1CqN*o!zg-z39gzP;Az18Af&bn&Vs8f`2Nwwu-jxy ziL@HK<5k(?WF}9us+8ZluTcYsVd0IXDHJ?lo8|k6%A|*49-=EhapWkyd0K=(3V56y zd2OcSyYTKXyUXv9W0>OTSjgkO0@KsxkXM%Uk~GBh*fUpVLs|>TDUyC1oDSJ3pOAHw zCekS8?$wJoN6})ODCEt+Dm^k`uaD6R1Ug~AdPDWoJg!!HsE7)JNpyz4#quzH%9Xe` z?*@%s*o;}V!Z%~A%tK`OCJmy#VdFJssu+EyHd*#%f7(Q5f>6!rV)%<*qYjIsg2<#r zqsI#Ht@f}gKP0LvnRRtY6I;%aMWO4fy&3`Z?g-cp(Kt=0iglb+9fY^61Cj!L{Ypb% z*q;4LaPmUXWL)8%(tU8^O--Up2i@qdrF=f~jyGGN?)4Z%{dS^~2*!JHg|{@0o-mN+ zb{>!%|p~=%gG-)!3*gz@XQhQ5N^$8;P52zKRKl9PS^Bc?&-S{Du z--6=d%Vh*)SDS6hgrgAt;6aPUouJ9AEvj|Dg~P*#H9g?*x5wW`ZgyY^;uHpId%A?g z*|rljwncrSAl7f(<|_w;w)&=SDXo6c3F!PNDP(W(zQj0`6l^%$+uq&@Y8xJbws8XV zQK!{ejt$c4f&Z>BpK> z@iAvWWZL5&P9C}&eayd(A+0R748}cUS7n0;op~AX@`dw`x|n!YabEJjSz}j=tX~Q) zPm(EyTyko@e_#w~Z#1?(Mv5@9C3Lc4vKe0G;8;U+vKn73lX<2a0HIe8n5}J8XLQ0KTNyc z9WRuOi08AViTn=~2S$`bMiDxu03T&+auifLoITk+NEYJzjtD7F=tbkrw+`Bp(&>u1 zCMIu}!0R(C!8v-Q+H^mh))mtq^NFkt&T!I2t+y~E=CG3569!i%=k995%c^}SiYQVE zSk;aR6Vf3v3IjaZunx*$Wm=do{%&voY z$zzoJ2w_>&&Y(MdBa<=BG0BOUzgjF8wFUJTtIo{ZqcV2dJZd9?OiggX2_P@JrU>Lk zIdgMc0(fwOn$jL;%Geu;4RtCnHJ!+AS|@r86)8HBz#5dJ*?XS-nQb*#ctO31ia<}? zzv5V_EoJAFy>yHti%97jlnhMQyyL*Hli87R|MaF(GG&hhEZkDZ#iqlQ`hV`L7$>S2bxX?$zu$PZlr{G&b$#!Bfvfl!3L$W$mb%YqeR9EizACTJZ>a0;VIz*kI)&-bW~ znPeKf%hZfMTA8CGY=VF+or%ATi<%7z2-`A2cUFqHJj9sho$;TvIiG(XdJvLxwA?SU zO88<`Xtk**#=^>I@m7Db_iBvyt;X1>vts5R*tx%&eTzq++{Xln*x{skn5%fRAm&lK zKV#y2-$S!G?sZVyX_@)+dx)BdY&hS6M?MpH-<~w$JfFg8u3hmEV#_ERRx0-iQ$O(D zUH5{Sr z-b>$(gd7o{#HAb1;iS)8>yQ;uE_eoyGA&+02pdx>-h!=S7YL}v0k~vmB*7iC{$JSW zl5y=vXeZZ@YqVaw2SK1)@xJTxs>aO0`dGTVc=_J!Rqp#n7cGY1-n2ZG z5C%T!d!Va$$1vABCPPuJMa)YaR3C?k*#g*oxuco%))3DS96`wZxo|jpl&wB4RejEb^{fNBpo<}&Lr@Fju zcSi0$9C+Q`f+;5g?@R*!0ltcN_ZVFdLy+jxxF|omP$JAxH&oc{nJ#1` z39ZX#j_*1}=v+A@=Rf8iXc6D*#Ko`a%?q7y0|EySw&08KRx#ZfwlyH*?v?$Q!KS-+ z*4T0{iTnDF7Pw*kW-h$ep1GMKlykj`lUk4FhiP+Qv4mPbY`)8c&r^w3@~ua0h(N`# zYdbS<3~H-vh%Be0Fz9CBOz<^~+>TQ2-qIe6qimFlTLTq|>-~D|f}v{-k>HVOYWIA? z@xBUPX~B02A6}qIKEOMbtbJxC^DVAH#gPYf1%r*I=JBOwvio`A<6s}pyaCvZiWbF7 zuq4%ca8ZisO|e~UhU$PBPHg!PDygQ0KHL}>INprbl zjiIZKy~EuP9bRdhS7=6aJ3%M$lmeu)_$;^aH%80oo-HjV^fL^gr&r5gV0b^(^zYF4 zXlJqo<>)G7E7bcNcIR;tIKFy*`Gx@d1jgq_rIJv+Ha2S}4V<8mR#+sy_5#{!Kk7^Q zt?&x(pO#}oC8FWgRNYrg3<51mi-iv;1-0v#ZoWMw#;Iu8X~I4$XNGDbls#)sPVLp( z`4{yLcRj2J8(qy@f+rY}n-j#00?F%3#4&^#0kN_R5ZJC zJn(>FHx5+4(7_hFSO+v&F1xqnE{IHe9$Xy~O`?#4sm#9<>7eb+Ym(SrM8nc~SO*k- zKLmIL1-Uc&p3|7uZdykYC5`k(*-N?yB$QjtJKIHea&pZk5jz-n=^dh|^avgl%6H&= zEX*VNWKdFy=dUN7{$eo6oZ0scjQWHib_jz3kFg`NU~ZOo(lyLrB^7ZcKV?SF!CkQJ zFt)zbTj_IF#1G2`1t0G=cNz3s1|&6j0DE0(5$vkD-KetGWUd2wdD{HMvE)VU?r9_O zV!GA1b$yh=!vURiD+j$@p6`*m&-#2+tnE6KO(nr2q(uYn!RNsgcr(Tbv)5LHP}PZR zJnhm3r6yacnzE*v5-@`jz4T480jraxMlP9Y&uBhtM$rN+*;ClbZ^<4WrybNnT z^dIE(2_zI2FrQr&8p=9oNS2agvNj+#(RXfA+;JkKrH31*Yx3!+eU9qqQJN3@3pbk=GLJDb#-sC&Sm2A!kY zZd;5^#9)>Hog>6aH}3+Ks{t{yi3tA=0tL|ZDuenK*M(7^G6A+Gwp+Y{?PH(aT0$vq zK2x-fRq|D=&(YX9rU3oDU|P*#NV4Fo^Ae!T%dEX5eG& zE;Ia@C6slL??n6Mxr+(E2j zbH-pU7`ylF6#EbBo->~Jbe&zsiz`Dq>aKGmh}q%Ehke_AM1#mxGQ zLZ>y&hF`?+1Hw7Hf#Wg$hWy6W!5MEDXR+kWYtGC(h{xpGHBF(yZi1C+=CD&RqN%jn zzneqX0hN0G4Q#lL>&MEY3Sz@^*bQe~w2zgGTmn3S8z=XP#VS0ggUwtY39vDic0X8~ zGflrbTdbc3sZG3iXr6R$$=cY0on8XC-8EwXtA4ku4}g;$Y6GFeG`hR4-aCm+&VX*t z0h?B`t9=w0%@ELIL4w548~82z!1c9s=!dx1QWu;QB^uADMURO7JSfpo{;5dcEt8Fl ze6Oj;F1{%O@vhJhoUho)C5T^ypkFrtuNt@j!R63JB*58s>R~jj0vCL~fYAfJy0c{E z+>g-!2IC&~@t45<&Jip1N3omlEA@`Q2SH>-v{-9=805Vdx_g#fI0Qokj z?WsFbV$N3JQe5H}EUi!UZD#W@Ty~lDk(L4tlM)ni+#>Uy84818DD};W!-HfuR;c)8 ztPal3D@$Cv(P7hQOOgxzM25~PSMAKlmt)Yf8)K<#8jcJ|z7(UF=yC^VovhbgcKfQ% z?4HLF(G?Hn5ll_waz3+fQ&;(WuDUPE!k{+xy~cGP@_02>cRqnA39Z-EAgb3zcMu)2 z8OQ+MsNY}ESRJdIQ+Z8oOEPp#?2uV`=J$qx!~%%Pg&k6#x!Bn^f@(a9*?TD> zAEKsi%*55KZ9@wfW4hR8vCR}#j^^?Kotup{`tWZvx{Bdi`d_cs63%jxZ@M@5oo;io z_*7^4d1gxPrv|#=sGz;GrsjBEY(*XK$vOq(5pzmB`j7|nu4Hz)hX&0Nya!lfYOoSY zO5CeSXw9KzC2@;Z(rl!Wdf;S*c6IB+bRJsE+A9&y;V5SW!&_V^(ja^a(6YEUXYE8@E{}abVW5xSi-@Tx?lxCzH}}qoe(!HJ*NuKbpx4Z z3VT_kfid^bm)e_D5@w9ZjJim-9lg~h!&`d8jC!5HelH>@#D{L;di0{2&mwV`IBE8; z2pHFb3(}u3;2e<*A zULpX39B$Ws(6L#sZnQT50p!QkFeEoUY)qJe2P%J|$b2Ni*wsGglzq(!l$NgZxjUuYT<8i*{ ze9?|T#ELOJ+=aE@ZCF?_i-3uJ?l|w-+2Y7ExbnU9DboW<^vC+q_fyf3)%J<4Q+?L2yu?Mx z#kIJrVQlf>{Y(C0T-~FemLXC3muyCg_zca;PdPF&$XR9=>#v? z$-4Cw38voO<|ph&MQJ|1YiBB-BrcS(K$)lNcBgz{;k_mTAhIYkJ)M#Sn>wF5&ygaP zA?f&TMO;gqFF)ME+a&v

e9?vX&2{P`z*yEQ@&1J8iL1Z zzK;FgcYfrLx^00z|fz-$u(8@U+H*)d`hRX_fZWBeC3g~4!2~VjyA{td#{<8 z**81u{_LroE8+?T_Ek8g2%Mwxtedq5JU$U?mGd2+Qn6j`Ncd&j&CW=Ze2PytEe>q| z>OO9HkIu`jeubqs!k6Gt!9+rMjN7VcpUV1Hh=eUE8C6!6M0eBgM+LMBs&U>d53wq< zdiIukLkt55NOaxctKVf9H%x~X=ULGmms&I(;~S9t?DlKs-#7+?#zV0P28Ri=X3A~||Uf9K;JR4}51T(9%LDJqAPI3aIH=F)f z3YbjWgSLwsy8pyA<}8sos>F{!Jbjk^;VND2K@bhY>rtEp4=~3De0I0D@xPrHI~(?Y z>9f1p`9o)WcVlN`_r>mu7k}93Y>pHzj}}4&vbu2KaDr24plz8|~{bTc`i!c_$L zI{uIPGrbwDn?bS4+hk0P25=Yc^mYvYd*y$G|ILQ*@Basyg2WrflhivtJc7x`NsO|4 zqaF4Ff1TUGR}CEVmf6M{Hsvuo2hrQ*`G5h_$=xlB5=HCC-?oQ|F{XfR%*)#9`2%ct^j=ms4I~kDYV<%X~F+|(`bAj_}L_ptuWuR z=k51wI{{YQ6&|Kb`}ThR;Z>^xfcxha(%|f^uk$meOw>9r^*XN_$>}<(Y1Xj|9Nu@6 zYo1P7Yxl4ous00T6jAKubpWS$Np`(UM0@lDR{f2=g9t!0NKWHOFJhM($EVlpUOU+8x1gQ$Pd5A!&z;r*=n&@PJVUY{(Bk^gNxAwAKjlW+jvN%EE3qOeIL8_eQcQf z*nClZ&x=3jTKIbF&iJ~s7{1;{eErgTV(-Sm=!`P-sYEqctSPjh8)VH1^0J#7+k97( z5n7i+KMMZ_v+-f?);{drRU6N_L_@e?4q=)25r(OCKYCq8+l*XZZf(_l=UZE4$mMbn zr`diK0=0%~QQAlwUykFRAhey@NOQ+Qnz*@3S1nxxK#`;t%Mo4ThDJ@TuH z;?Z>r@mjAW9n(j+^>|D~oQ`3$?$LkaU^4({o)oPJ=@{*S{V<3KmM;<76CliT2GU#jD@A)ILuQ3Vpd-_e`P3s>9{eTMfo& zLQeeXbvO(&S&;tnlq(@$;)OEeN|hfktrM@GLJrW(s5=SN!6emo--mJ#fWu z;BbbMq4%)};ALgE?`!(DKL0~vR=NdO`~4!YFx67 z>@f?^ofie>Sd){}@AeO<2zHpTcgGEKRCJ({_Kz+6wES0ZpfQ^00prr?D`x=JNV82W zRn!LC7n|1lweVkx3y=IH3KzwOo0SL#xJP+owOOOxEepXAf9edqsYkB+7NEyssB245 z*Ng4C6cl*4_+4)~dY{dg*??a6ru(|fAFF;+o$b0O)7hT+SUd8P?mO~~$9m7jR|C|gk_^3{8Wf!qRE&oj_F2<&wvBsKmr&dnku&h!Z+B!H_40S2y4IE zP64gt7N@*Z<5P!!`=g#Qqs?7{ZYCJt!S)r@D^2AEfp zZ4gEW3=mJU)Dha4+p=n2@|tTC%Fb2^d-Q*icj~3>mcgtVN*$NtC&&|S)Shrdqnk}z zOSrjP58DV%*r>hZjoGZhhC&5*8(D7+FzHz^&KQ;2nAFA<2qPz&?R+;zh7HR*So)%F z94Sa}a0m2B!fwi9`it7^+=~~b=gbEp2O$j1%epubdaR22&hxK*1bUkjL^I3%MlOd5 z;JIYjx>_yhp>M83yzS%~y`44EY2?};@jz4&c8o$cB;zfCuP7>pC(mT=XVI!}Re=cM;RD5{MwD=;dsVv9AE zk&p855tX}&vjHL4V-+q*rg;hMQXHAuKy4V?Ce3M)xf>C-XL?GE=(rP55fX!ooqQ13XK#Xu}Wj#Ygg60r}EC8$$Oec$j6O? zZrJC@15(!UFC^;HkTjC?)GR3Pf44SUvWskqv61$v#*$L2nvf_lKCA0`o|dujFLvs3 z4$wo>ALKt)-uP2*bH@;$g=o*Na4s*lYRiCIWwwMjlZ?%?s?^JE7)5}t$hLwA$WN{X zZ&4-@x3(;=q^>XnJuH4y5vsfeN0djb1Ow!DgBI7mZP5-n$qJ=uB^jW%hPqSq7P|`i zXdm8Sh&HoR}Wur6$aFRZg$!7V5vq~Qd+Hskw( zS!!kGW$^%Q`mIaWM&fe{ZK5i-gzkheeU}sH`UFcDFijFre(&x3t&S*t+Quw-LR$--C9Jv|$v z5)06Nnk7IBGK#5`W5pBJ6onCDZFSWys;kQFC#XCxDmJurWR2LGHGR+a!=<%+QyV#d zv!SSqv9J>C@E%(c97T|{R5(A%@@t-DWtFv%8l0B!vMvxo51T%W$v zkof-Hq=y(0Zo=hyJO3&arEonA)3wRf3no{j-XsQ<#dA-rg5Ju(>-T5pN2kO|uDZHR zI)KgEB*Hc8vJI`;CRs3`IXa@^E;Pv2({njH`)Z#`G(BV z{%GPSz$#S8sUIv1rE93RzaeKxgUQ_AH_))VSx{31IgR+Z1nwO)&uFLiJKNbZfQ>$m zBRa+(5_s|_K@w8>?RW%YQz?W6YTmlw4Lw%NH_AK~#?8WiuBRoNtnHb#yW7#C2^Wf< zvgR_w5c8P$`N&UGigGSkpN;K#_eE_?`eLI5t1D}$L9W8*8fU6gDgeZj);`-8>TD%@ zXG$m##9K}V09z-OCh?f$M4|Y{-50gt=Y@fv^VerZC^1{2dOUKFwXM0k#+uuC>3Yk) zkhj=z-{L7;A9*9$zF?%jB?9H;Xqb`lh@r#V_*rxQ8UPnsHFQ|DO2>wyuDImTP{?us zlZJO<)Ct1?U7EvmNE~#)FENlc!suf@w%W#~-R*ByXW*rcd3dQ)1YUl!DsLSlUs6DX zU5+C^4Mwo&W8B&e^24M!w+yFFf-EMEwIB4RcD3xhaFp6R7BILg_dI?Q)=G}W9r(o0 z1{BXrtJ$her?$4O)!2@ooix*{`SI<$pWb@MXJ_vjKGC06+-Om>==)*Bmrri8agL?w zeDkjim`apa)yG_K*{h)IqX!rWjhAED)ujk$3s9<;?d^FGu~CA~dY8Mc)unmqPfSjojALnHnj7Z1Ez5a`Jp^9-ENGb#AA&s}uBCl{MDYk3kRp)^;p|+U8c$tDuKW4GW2348GFt!aKE% zojWf!6$d(_Mz+fu&`h;u#GRLh_HMJsa5OcZG@YXTx5&H%pTg|j=rqWZ>Gwc|5wXr^ zT6T78ld|1XSwNu5_AI5uz$Ve<8XF?SS(X(&sG#>$zDd$+k_gT#t7~N1;mEAKlje=9 zZ-X%;(+4?4sL{MQxdyEBH{XK%y5PHG%o#Sjo=ip~MeY4=7qB|ga{|m%+dF;98FdMq zM(L? zb#XP>2V7Md5MNfLp1Nch@>OOmKS}(lOkbA?gC6jt9>LMu*lxQvcy7NiQy9rw87xy7wyu=8LoSJS ztl&f^DpXvvM>*GgIh)!G-=c-%(8kB9m(ypphyJJcBmV|)FgtmLl~`xlam*B_oSN z#(@3gS^~IsYD+IWn`O}&NC24fA?Nf#7*cW2MLiw<)`Hs$`=Kxh0&=w#>N}kcb3LN7 z{R`%!u`j*0cim2hv{C!6j?c~+Jwv;-h{joC55)xF#(!32|yY{QuCab4< zmt+g7#;Pde;kNWh?v+oqHhSo2kL6CsL?U#yXEIrr8U-3tYVZle#KH_%wDe;* zRskw3dws~G;O*L4!tIwNlxu$?a`jP}QD`AJ6^a;2JHZpx_Q2X^53FNjfS+~oFYBH- z^l*mfqha@T6vPjW|}XXPkFv0()3;+l z9WSeP=n?c-U6a0brGMz5#7TCqJUsev@%s4e{OB#&$B)j=JTm9rc$AcnXQ_Q~+t$HZ zw%IBWEGG&M&g4`Os0-8a%uKjzuWf4v9r7peD$!Pk7dM2C;W!G+jEvWE8l`(JqyX!O z>g1huX@c!Cm)o`3qHSi2^ejmnt0VwrB+@Z!08rrnp~~(Yd&n9(wGn8Cy?+hD{7zg` zEFZqh8*vTTs*RwxzM=7Rt_Y=rZ*SD5IvXz?@KIRZy)Mg#wNU>YX5QYceP)|G)llnr ze;ZFEn5OpbHeVXn|B|9_PLl8@jDqXn2y+V17WUZh?$U(mA+6JE)0*iNmr$F(+9dw! zt?+=7{ipObI0=H<0dYI9?XB88-PTLZMZa{6gvytsOgl&la$$+zI;n~imbo!Vm8sdHOnY|Uo{2@vM<$@B|W1jg0mbKYT_`_dMi`hCk zBh*B>8uJS4@+Mp4(q*Z-$oNK5D8~GaCz%jn@)7;8sZ&kSbT4Wj$O~-)ePNqrwyif` zB07uPj>t0n7d;yB{Up^DuJXbkO)tofjYvQgTeQ^Lfwjooxr7gBCsYA9BTcRa|4ae-Z3Jmb25skKLYp1qebQV2WoojJxw>HAq z-FEFAi1Lf9!+Uo9*{mHTy7_V^XO$RFvq6l4BQrk41+fW-jg+*H+FI5vW1Hyu-%Un6 zlmufe$$}V`3I_o`^qDLG`xEx~)-dHD?2(8#M-=b^YPWRFK-rd>TamRTx4pc2An)Ri4w7!Au% zyIFg=n>)4;F^_w`-~`UH5x%!0ZjAO&a?|XXx_X7WYM7> zu8*ZDCIhuM_|o2>twdI~2Y(zYTjiy3I&FV^nYP1t-Nb+ESacnk5Y~2 zUhS7TS!{J`6R6IMg3O|$;p7a+<5OU^E+K~=v_l@*hDpkEwy%PI*WKNy8?Ei<20i#G zin0vT@JbM)wrRo9vb_QhGGy07qV?>!B~x$JPL>HhG#1F+4TWa%VG?;A`07d4=B8h4 zSm${)xyAtjk>ZcKM%*oYGkUJLjAGQL;b=B%zqPe$Ok0n%SBwl^JA58`SdS953QFg28eE4IJET1KWE<)Irg8*9@^Ib% z;ppx8#qrz!IyyMN5Yg=Y`KybQ{qt9sB|d{hwrVrM(8JnjwKgY;udhvlvYWW8lRlQq z<4nVABmEBFse2UFt8z}j&YeWlZ`CFRTQ(^$4v~(pr1Fl`#is52opTmc8*^?k=6vJB zJ7Lv;L7oM2uRw6KE&+fZ2!iyW$;s6i2~~tiQF*MH5csl-Sj|M6r30VX4&g|Xz;C^%do<8vKG|e*$(aiEld0;0MaN-*(kKYVDhPF)!07SVk_tfP7^}xvn}>Yq z5-#?YQuSnrXemLEnbg{^{Tuz-Q&p<4S`~`(DQ`|IvVcNAOadBKaxmo8_A7@T2zk0x z2Fj?0pfTK-v%SSw;4um3J&~Qbe69hfwz}lnx|RUjt z*AXHb$KX&DPmAvjLVo47w5p zB&<*8n>_1tlmpK>-cC4m2~J~g!?;g=`eY_Et;)!6395cWLb2oBM{ugW(CHhrXcOk_ zS(Q#TS4?^ga`omTLebV|E|XOk6hl*$Ltu}t@KP@vhyy<0SLf#^>-axso=C>2&Wzz9 zwC6YMdQ`+c5x3o3oUm-vXv^l%B6JAk`r0SY8_{bkeU<^L08&O8DBa zIc8Sd{#^Mu_&yOwdRMCSu3WzURr~+tzOTwhAu*RL;+S!KvgRod^EJ;7+FbL3tZOTb z$csdBwa{kPID5-vMBy(CTd3tLV}xi;h5=$>lgWV5s z<8Vx=jA3sW;$Sg@#46`{_TuixKuLObyvvo3%mnGRN8SMysXI8fk0Q_(160ugQ1)!2 zK{~-ad#OD?KDH|GDKR6V7YMBiJ&cumL|ME1gH#bo_##s-JIFYc_#%Fg%=7^ar~_G3 ztb7;<|BiUnLxV1PNfnREv|p~2$-acSpsT4E zUh+aMvZjd3%gv1qdKMNX()%eO913^8EZTl8djwxRZIlh=5)pNUWu66S+MY_Q#eo>i zv#sMz@zyVi|0lAeh`S^S-7LHY18s^>am6f(^;e<#;ShaF@#@5%)39@}tgf8P3i~67 znv+_VJqwE~AXbpsM*S+8C#MHUj_~?XT9B2uGGp2h?SsXUiC(|-F`*a9M}%F>k~N7C zVOW7?BYuaPnxP=p>czLCOD(0b{y)@co_$5I9387O;Bw9elMFk_i^zu^TgGe@<4x>wt!##v|&Eo6p2;tc+M-XxXuYoFlbEW*}^|QzP z2qTQrt^#izVsH7e>{{n{%r(6{DO~y3MN@xAA4WL`?+%aN{q*+e^z0$#m{Lz5j;Y-NtNo z^`=3D>Ls6bQ`ao}!8lVqvnwnRAN1juj7#6%#tD{48%RXrfb`tV;`-F*IcM}ihph~2 zp}^u;^ko*lk&@>uIws(aL3a>1L)6;A>VSt!$c?|NFJ9ZSdbHkKA6+itKj^32Z*T!) zDmtbUZo(EhjgOzfsh;DqQaHIaIaMBlTzTneSv}|;6l^C7KjP|Hzd8&O5I)u#nIC;* zYr{X$8R7|mNQK~)5r_dVJGmZYD$$^sfDY5%RfEsJ8vzt}B;0xN)lEox0stEY#3Kym zj3nBVSpR+R8ePO`n<&%8lphIhoYb0>nu(tYR;!tCXx{g6G8z8)=gyz$KthxJnG-Nk zO&SnkaMS>yE{bEySH_ljN{E?CI2c@z(Xq7~-%V9!f3mv5U}SEJDKl_kur(5D{4fnz zBtnqrlI9+dvH`+Q_ao}+@wh#%Ek;_k!s)@x4cN|}r|b+p-fY`>RO?-48;D~+rWNBq zpMmhD_5l}2KQwfZ30@h3NoH3Op`1`$Xj2uWSIX12cT4~?j#GU7D0AGR5tLQUEFofd zloI7p2cO1(c!E)vUcnJ&5f|AW#t|qbAqF3xrx$TKg#TVrK59_ZF_>jRgE#MB(O#bthAe;K{g$L(D+ZR z{6+LiS$5I)ew-0zG3%gWiBpfBFI$~SA3inmAIgG(PdUK|oM=OB^rnsi3^@cW-fLy*Ycx8H7KJLL@$!% z4+(0!K#FjKYvz)n8#>y0QP5|S;LAY}Rt<-Nw?a4^{)I{oG_g(LmV=M!>Y5@Ss%(^g zvzVNz)xx2#=z0Cqf8d|KU;wxj97#QQy%bpRcJ2_R4XZVCXq)2UhCl=DK60lxeiHQ2 z+o;Q(xl#!>2ZWQRs6S0(oemy;>Iv?~H>S@k!u)Rdny~2lN4n>o+!7gj0JPL8t+5%R z0?Gg&KL)`VhctJPB|a&|alTP*e0D^|z_(8VOeR+hD_gw&1a&w7Ai*slf;CSWQx=aVEG%w-$f-YhJWKSqN7(gx$g*!l& z^Q|z?nX_o^5pGT#9m93fGiMU!O=1Ef;$RU2g%MM|!z$Yj{z$vtYcwt|FH;yRYKSF> zySMt@SAReG>G0QeY`4z8t>ePm{BKIBUed&CspN#Xz!p(an4H0;ukysX)6Q~Aj>6(&TZ;DhWI@6k+0dpB?BjkssrlN^msJ%`CT}Il|ZMX@JJpHQ~ zcRU@3?Krt!2Sx>Vy*~Zx`i#*yn5Q-Us~HUs)QpFJwbQ|jAxvRxx(gY|e(2{M*^xQO z8D1Wc3O>uW1)g^6JmxIvW12KjiY`r3h?br;vB0z8Rtkd)^cAsi1Gx~kWt!A2L=DN` zfrLlEJMc~ea`i-ZOyQLhoDK{I)zVc-_h=+9MV`KG(X%Sk3!*}#|R`z$RV0)MT&58N+jlOTHeV-Em)wBvmb`+ z*r4-6#|dU05y{1PnW4hNPgF~7f%1pQ9ki@sgpx5pRxY+-W-SJs)g)ux#585u8!m(m z_gt)JjdTzs-S5$(!$*z(eb!pShevXJBh(zQ3kq1#M{`9|Bc}MFWg_KL)fVL#4C%!Xp z)b##tR*(Pq32pFFnOys%k~e6`>&Dv_YDw!-ldBbLD3JS)x%8n8H8@1u!m{3B0PGt2 zNz@}WO8iYpuQgRsc$xSK$M$|Hc*ZXXqzBafA27Npj{w#?>*{9Cz1~`MXEi{Q})A}=E0J!CAr59hDeA#Nj@3$>vtS-HN1M6hPv&L; zO6(tG+*7MbSXhxu6=oX_j z-6j`d7_mQz*nh{?fD+ySv6UmSM8@TMF+O^XdL)O!%QuKps-T*zrhKpg)pcc5k3MvN zogk-sMY29R^66Fi9A}z@DWf}NaFu#ZNQtTuE8qf+3V@;k15ZfSefbMC2)uQWk=N4< zz&i1;Au0moibzVA8c2~fJb`^~2I4I6`0W^C8CEG%;7)sSK)z)JMt$<*ri())clG#zxnM~E6y=_|3ez#$HE&1QLRtHmhy0+ z7vpqkd&N8Z#rl2vSFe?L&)W#eZCv*AVuw{}|1*kkyv$#l-nU+J1h2p8{h5CL)g__| z8EfGZScL&A|Fu7sRtabqUyXcMu=t9N=2ito-qPc>pKU@mH{*lDNQbl+R9o`W?Cp{i zqRhT3@+WwZpA4$RL}6a?YE~|B!gs{{HwKjcqq@%o>h^ zPvnCRP<9h&NcOFK|C&`-q+Y?Wh*$|*dy$f(R4OCbHV_`9Jr7ny#fQdfST;o|A)}x- z_D2B__JUg{uX#TL0@kv!!0ahUYb{nI)cmmkGJl*4FMs@F6{PS2TB^V{9EgS(>4dOi z%5cjvow7{NOB?G&w?&PgwuiwGB;ap1cXr=|3wP>{C(vVKs5+E`BmUw7qHK}>G7&I8 zZ~VD>X{C_+#}crmEg-yp@rNJ5gQRZMCU&rk3n+8B%e9;{jm@PliY?9*8jlvvhU8-`J644{eD*gv<3k~sc^09y} zfbkqf)*jH0B|QTM>l01mF#4|U+nUKuk~kHmPjiOdY>Ef5>G^zyfq z`m#V}e({3tAoiNAR;#%>pXfYiIl}vsw^4`U(A-5*ga0Mg^p?5Pu3T3j;z}L_ghwIh z(S=Bq1CPxsSbR;IO(XJ%@B%*#BeKS(K#yQ9@uaaRih>BubBM^pCcOh=fb~@Ajs5E+ zAV=#)gOsSOtK;Fw8^p5NqI)^XV!3Z}`LhpRbP( zj^3UfJ2r(HlKZ{oj& zQRI6k7|q*Nm}yN{5!}Q=ot-uYGf`w6>bc=>_~!roum5e~wEy$J{y%0CykX!2i4IUZ zh>qpg2HnR#{z!`bQqjp2=5QDP&>7 zE}58}qxpYRXM9@lmb>7RmFD-!I=J#VXvl3D((RTX_Kd539H4s++I8^2MdLi+TzeRO zWAAT(F`!xIGx=0^0~{1a1A*v&^l1=Y0l&A;D)A$75FoWPjStJFNYebo{TD1}xM%2o2*pcZspU;2M%3?$eR%(2)SBo2+v`p^SHw(cW=b8?cS@+v-_*Z(7}8H|udIm+aDY*&0LVM+}-D44>hBGfr*Trp+73q z5DF3b8>f+9(8#Z`GE(CG1U(9)@;HoA=xGNfuZQ#zJQrGdk`SHt*fu0$36DwqAZn!1 zlCh@M&3HDYnCB%gkB_2=Z7gSDYW|JY9M37=W8mK?8wulXbk0sd!dX*bGxR@&!^w~` zvy3wB1B2S{fVRhQBaZ?74dcE8!8DvWyr(FbkFto$L9(mAW%Z&Jkdf#nm=gX|PYkwY z-+pI0*>oku>;w_A|s~p+oTOrD;7BHZKK}4wK9ipDyhn^1~sX5F>R9r^w9KnT@$i7rU&W z64)RGa|aIlT-aHlew7VX1P zAMHeFZAT2Ea$^aI<#EhZ0GPDWG8EYavDz=y?}8ia_c@(BWqa@uu;oo4&VwZn$CTs& zXM$PMJ|Qz1Oblyi{mN1F+?R$y;M-yTp@7;93@g4S6l@iEKfHbK{Sb^u?U-kuJ{b0C zO*ejxez%DXH@|1c^xVfYiF18qphC|roRip+Df!$d#+jWi1Osa#p?bV|=0)<5UD!Ln z+#L2ElLa%;>4HA8TFAl!JO?u;{~b>d=vSaA|Ama>Y98iujHB4xmk$M{K+ zt1xxXg#Eg$&XgF!EJI1bbW{#wieM5)_(0T<@)fIo=zK#pvDnk31rr*WfoC6262QoMKB4#1#wQfU1CP_T?qiovhCqb~L_}Wn`_=HYY=w>Ys#iCPu=V*zIFdG8G zDErr8p)7{S6^o@2)XLbZ7hp)is-{u%5H3aJubD`aHGE(e-?yemq8B$sKuO0DI)A`| z`ouH$FpVY2Rvdkzua~MQ#^{!xrFt9(YidUYs@@4Z=XZ@yz)wT8w0hw_{PJxibXc>8oD zM0OoUcN1UPFqIN`P=WKo*s&yV~ zYoz@)wzKF-FGS>OKJ6Aa97myJL{}TsjG*o&>G=v`fmwyUfDCU&<1X0`j|lgMIMKg? zk8}lvUQ!5*VMN(_y@mA38qc#I_ z=H@DbUzvuYsF@)3-56c5vP|rJWj)PNZShgq35QRs z$O{1^VYl#_+{Ki}69hdbJcJ3-Ngp{TD%;DjrnCYE49pKj>Bkb_^RoLUYHq&w!vu4g zm%+Q}K9J!VNg_)UH*LuOZx!t?mpi5!lpM^9?^G+IdvO>23Yi`5`<#(|jsMjPe31YX zK@$kkH$cuucPIH7#I?cLl?mF3l>V-FMsby5AnN^0>7Yq zZoaZXe5_K83cd>8szisZ)Y4l5vX{f%B?`zb zW)PUui@V_g=lIKRmfa^XO&EheO-mtm}#Nl$pTpOjhJ(FdZ?My zVOlJNoTYm}B(o#j=Xf8N-^tyI(nBg+T}~hCNtm6zEafzA^RoGlJegFUUu`jJ@hjSTK=#7OY@oE<_Rjs*uW&S2LH<8)$Q&a@;N*Tz&xFsGI<|iGr9qF$D zPAhz^a~+~GLg|e&D#F5r6oBea5+d`9ag4>~X8^UTuqsvbee_e~%B3`Le<~?(92FC5G(^DFbHd}8Br;7wqn8sWYu+Sd16(I<#n5z> zRL5XJEt-}+JKAn!YrL!%XQB^SKgT2eWs-zxk5gxJl9l6;mAw0aY1JVo2S-=)33KVE zlz~7?l*fHZi-I~zNo9cNC|KMkd6xCGlo4qt%4De%De_0EZdbAAJzitVYs7?TJ<`oL zh^6Tvpp%@d)=liHhSWVWROCr>gM;E&g*`Giqi86q%^IFa2|g)CQM&=) zWyiTH(Ptd_U6t?#b0jHaESbZ5A@EJhU>U;gKL!?Y^XTm&D}vAy2@-f;rPQ zeiaEE<^P$)%pIVgvef&w7L!l~R<)ZW}FMBfL^K8$R?gc%Ez zGzI0}QbzZZ1e5~;2SGq4)-x5pX${7uOixs&d6b1w0f7l0@(BrBNGY|@X+31NOCL|l zM1fUkYZ}Pes1lE^W6sEd78SvFCB_d9kjyAS03u*Ud*XC7YN?~@vL#6y4GKaQ)m6lC zb~n5phR$;?Z>_h^KA4(U5G;e=C3f39n?F znQh{F=%H@5m2!cdcrrwbnIh&YUe7XPBh}_;Jj#f~45*@}#!kSFAf$E{jZ-gxuPAfc z6luXVweq`S+@p--LDCZc5qU@$)0F@cm#^0Q^_5zp?Ete@ z`TXH9>Aa`Pg-P);jzqcx4+9=<-!?K&z`5*_+CX?MJd>Y<)grE^Ohu@L{*pB?qWnMq>wo+B zj?qWLGC#)?0&C67319s&#KIaPAxgd{bW#$NAu%;fiviFrjq94?qw;Q5GC>$Pn*QQO z(3604Q2{a~{6ydoFvgKoIUx3iIxV0rE>I&$zRE;RV&o~DLC92Cut~iTcbM(WFvUT;w&Z%CJR6-q>o~@*m`WMhRyaFi%nys@K1uVA12B?M&Y57td*0kI-sO)8YJNqa2+{~W2jGxb{O<3F_C0! zTDA?#7&wig{-qlZxln{;l`KLcb9Kb#SwEWP0p!21ZRa@CYb8h!=)b3KBcQ8c(wz)h zv7k5%`HB6N;NS={m8(vMNnBi2!zj20c@C|Zt83bi$Cyvpg@>PMPSjNXVVub!b{O9> z-&r)zDl3}8T$tf9RLMmU6f6NyxhNTDCCL&&FAd%~yoHFfD#9hQ6%cQ(=VP8bWf>)4 z0C697MIJZmiI%=k)s>5wro?x{O9Lzce<__21|lNsy2jeOG>gY$=(R@lc|tjwfX$MG z(L<2cC!;P8FXnpjk0s%Vu7wh4C0%Fnv;fl6Ax+R+4O!adJ{%;?iua(W9xcm5x)>bG z20XaDh{ypkEvq&(k)l^Q9&-X_Bg^)wS}B%zM$a@L8l-*+MOiNlvOIrieuAEa`6AzfBTG@jiP&uBk&%MU zWx}O=)Arr~mIX$~9|iG*b%l7%-C&)M7RN0 zA;WB+PJ(63O8)42f@wol^oDlz)GHzqnoO*e9|VU9%OnPsSUK)g7uLR5r=o?BTwGEE zV*@@o9?04yoPO*87zMYwiE;*3k!jy!0RgSFwC!bS765hXY1NBwv605oDZ{};TjZ`q z3SZ-&Su!BGTsQ$3>|JSGWTp0{n<>0tnkH`%<=dis)~-XO2`ZYV$LZ82Fc<=+YCM`? z9mh5ukM=Lb3Ca$t#FDw78HN5Z&NniibwAR_I2I^B74+s)VsqJK#?`6RQ->7T1@|90 zRpTcR+0vK3ZaNi^yWS{g)ck=+DGD)0YF{(**>XG)^3DfVbpshn88qppEjukE+*I#& zS~P$nr|EmjV^+qi@N`m1>jCeo#DQ82BpHv)Qd;|LaI}^KsGsZHqQO}?m9g?j+zpKZ zL9bDFWSezrrBIV~uJYk;+g4%pk1UOefo_XfGtH%u=ZZG_Sm3<)_%c{=mP$Lmb0b!) zigA1>iRrUq`SLfZbj~U)5Hsbe_(-o++=}YQMo9(2MB55&F|~n^Ejvoqeb1E*mPZYAJ9(|jUs||{FQ8{Bzc}%u6z`Ch;`@P^RYwS6UV**!^&zi@66wJd>oECx zoATU-I;>8cK8QO_LtTK95~H0?U}$&@(3YY8|$bD3wFK( z*jYT1bx~-_jVR5l$6aH0qJB8Cf&u419l_gE9*NKJ;rtI+l?6fkVdj`q|8I9|r%?ZI zXXB~<*Q0#SkIv37j^FJ6aP%MF=JWag@b29Yua7PcPLB?c-ku-tzdkFpY5ye!?)l*L zyZ47@hd*8%ygNO*I5~ayUq=V$PTO8^)7sqL-RW#Mo?+cym4MgBI;_``r21@mLHpWD zf34CQ4g6Ms!X5~@Y0&B=ZOm!e*grTpIyv8edvJ7tyMV>nS<;^&&PEA^(x_Y2GI-{8 zQilI#xZ?%g*CZ(_+6pPp^Rg zWkVx=Aq}`phwg^ARSI4hQuX7JK;v~B<10~VhCzhri8AZPMA@>gkIiaDT1 z>G!JBkMF-bI(YZ?`{N(JweF;isrc79HNQ0E^3uY?T^t<4!1=Fu%v;ahhzk|}LypKk zml4Q6cy&GW8jq(=i2%u9tqKnCy-346aDML7Tx{pE_?AL&uyLcin!9z~^h?|P!l1O+ zDd~OM=R^WghW>~o%jC=RvZu~^y{%VM(Ryf{8 zHwq~qsnx0#SNT zMzWYS#y>66$d%3G@$Z6ya=Z|ZE!c^;E?5j#p^?Hgs8(!I_L@%_Eu>X81ye6FfZ&Na z3@m@|9FsIvTb;FbIH0{oqkZz~-P`}(^BnfEzycX|Ntc@{;xh+~+-GYwE4HFb`G0G(vz3?sw>Dlp$^Vb>d1lu{JwV~G(fE_Mck7cCbkB1tfPek< z-u)_oqe{7PmlEK#zBTWnSP0xxg}^VoMp-HFpUZ23|9NEy(rp&+mH)h|ia28xpEM*- zN1eZml2!C2J&nnyYn9OAR0~u%4*hWKnqjyy-V$IhQ?W}G3*!o09NCb1Lv*$nM`T%T zU_wLE0+)2hvTp$=qL36HQVmBLJF#vgdI)138kK9#Hz`42YHRrz;c=~9-f1|jX|8G} zH_&Xwi=Z}U8M;zC#^a;yLCR#~0oaSR7hqLA;*z34l1nnoI0|bbtz)`tDg^iOCBEQcJgaIllZj4Q=gJ0i4oZs4Xj`%lu<{emJ@hraR_eCZ-u>6Fzm{*T zaXanJP58lU={gSNT|n6$QzylO)rpIQv0=!q!mZp0G~7~oNQMcOLQ=2xiYpIEA{X@C z;9>C!-(z85x;j;Dk$n@g+^Wn}Yh*3KR<9JOc%+vy@0DI1GOL_KUPiv;QmE*m5Jy4d zE7OZc9GKB;K#{86xzgv2rv9@@{s8E#g~PBH#FX8&Wj&M?K&Df>B*6A^)eE_L=ZW)< zxc)Q8M5YQomj^ zpfa(cLsDexs>-7&J^Ez+`79s4Mu8tJS`ByH=i&iNn_~|D*V)+aC~K%H$M~a|6xiEE;r%_YnFQD9moUYO zCnF5|11brmsn@CY%_)&Iz|5@A_I=gxbHgGLzFO{=U zh*yuCK~IwSN~Rh6*#KIu-*nc~DI#t^$_D=d0y&7}7(4mx=EipO2`m4;KMwx4jCRYM zVMqBG<3eG9zy?GF_iwDP;==|^9Nsa65UQ}CCzN) zOnVi_Sp2+M+4|S=74dAJvc%s{u4gaGnGfTgrgxi-2+!g(%{)-udclJ=?Lj;_iKDPP zU8udYBCbMPy?OPSaR_=$LwY~&I)I2j-~wj0sQz^p6h-kh7l2~(qD?-mMp8;^MheLItv~R{aFR<7e0ZX=L7jdsDxTB0@;7QJFb20Uj@-J zFL%a-XsU~X>@<$E!!UUq_!T8^l0MpuN~?arR>;pyUbKa}Hd37r#=6JC;H-Nrim>rh z4c_Xr2wfS+^O+dk_&0b24?x)_W6YL*mZ3Z4^?bJAfgyS5e|kUCX+1wPlfq+uX_OafB{RE4@nDc z-%||N!voxX5E>?dLy14~({%Z~o@>B-VhbK<<|npb36tLA70uT)&qd~C!%Bq8J_o2g zsg14AmqdQ=0XR2tG#LhO@OtON&J0z<9Evo{(72eIffxD(t+7%5m$mjLyCW^zg1x9> zsHVE~drgipGt*58dpvhxU$Q0Gc>X^YGX94(_$|WQekoLXk_}G$Y_MGU zqzmBjcr@StZZhiCVYu%_^I=IdmBCA$?PD-~yvfq}UJd#AmS_?9e2V_xkUz^qDndvD zcr>~RlX!$7wIBRs$x7Qrbc}ZzSgaazyjkvaDuX!9-Ub;4f-hOw^5pEZ#QDA$+7I^+ zEacG~v+|c8&2yh4c=C68gqfcVn@gDVK2Sb4KIl&LW^NqNokm67Z`ge_mi)`YN7@K8 z*W2e#%*R50L`yINK885Rb1Y*wkFnZu+&c`@WI|bFzMJ%}YXp!jI6<<&h?QvO$*ZWc z#}o0bJ?9hgHIsmNfwlJ*AZWE7=L0z_B>|>~eK$HAOtM~lJ6f_JxoBwOvh{8YhampO z?Dva=6n=?Yy2pDGce=*{o!`3i$Nf+G$#Jpxd7uN&{3M%qwn)^;()?u~cqijHim#_o&L=#PI^Qjwiz8%|;Z98Krdd zrMPVQS$FW56E3b=D@=Qz(7grKRQWl7BY^WoQW(Jt`(LPQOQZZR+aZ@dp$n`2M{&pf zLNBh=C#e@^XYjBe(LU}IFZm|!J(91@@0jk@HU2EHt@-XXy6MC1E2Yt2&a%u)`||zS(5Ledc%$o?VK={PlP{M(G0e)6HSRq>^PdP* zVZz@C%6lSEzopxHB2e~>zY7A@3vM0@ZNgNTnD#vW7*rF1!rb=?Df^-b;cv#b9b>M> zNtgywnB}nmgo7S_3?4~gc83^?2X$Ajkt4HqEWv?t5cq;}V|>22hvQM0{gzJTA>uS> z;FEZf;IPlWe~t*P4Hq?%gU~b|7R(+~D@CpUXi~{IoEeCepZ3dPUuM9M6vq4=ZmeDe z_yT*9wJxx$dFCGc+-+CAMO}b(j|Yx$UyuPTEN7`0$?rwM zo{R-cI!G3f{cP|!l@bw^)t+e%=MiSXa6zV{7E41tYO*!d2RFHJYiC_`N;xe+*lFzX zLYG^*oH-Zmtmd;Y0D|e}hc@aS%Ruxs&0hC%JjB~O=W!l`gw@&BJT!0*3ieqNIy^Sw z4Y~*MaOjU}%y6YDrjhw(L=u z^&TkgaS`@Bsj4vB1JcLeQw9)#sx(Y9w0DtZ3YfWYcpBgrAl^ML@ZJuB5jrwvb)f1# zqyr~B>-x2z_#ssXV-Q`=Fn)EZ3aoJwoMrL&EDD10JbeC?SQr#~?njZ4WT* z7s<9gRGJmo=p*`LKfan3F9j38er{u79d&PhNi{5nzsK6^qj)sKJ4ZKry1%)f&vSoI zmX0OivW2wrzd8MIEsgC%R?mCvgib^apYU2mk0s-^FT<1NA+Rff5jww|JRWEMgwmI1 zye9VaJi(+0-N$q;2}fz>kM5C%mPb@D zj3-x7m=4~?*=gYSrs%yMq_ceA3e(@~@#FjJUDde7Cl;Xc^N-8|2pl~!50LrEb&xH4 z!u#{@PiaDnpF76BBtfl;i}yl?JQ+ujJs$J*0QK8vQPM}OOGaw_#ckB zyAQ@0_(^b*#Au~>yLj31dYQ@*x%*K(dNjqv?=$4>0Wz2@zO99z_`z~HXF-1woz*Dx z@kA0UM_#aQfbQ_%A!rNM6UZ;wq|plc@!IUC%~ z`Q<6c^_RY{$+(B?x#Ucr>Cb;B|D+r8oO^?k+n1f_;%33*6OXpWM)_aGG`{CS6kt)i zqA)Ow6pzKKWSZ#y^UJTIY} zI$lEe63)AcKMu~>&Fr!C0iO@17C=ywaM?JC&7xHH`y}qY8$}CvVAqn%e?!T^e=`Z~ z#27kLr+haCv!0#xP8>{aW6~Y+dB)g3?3ac!FI8iC6mB|vHO0M1~krX7)8wC$ z_*dII$SOM|wl=YB*a580q-x<(72qlbf>dRKv$j)N{i={XU zW!E`@$=NQK0yh3L4PN+xzV*Bo?O~69Z{f0AylgqG*JrfwVAN}6aSQ$f|Li8yaR$rC z5`UDU_Xjl1qV$mO$v*5Oq2eAPERV%n&u2=jAu1gGg?L?py@Ru34|v6!um>&q==gXX zxFHZxfWbG2=_~Oxd}lI(0$Bw?E|Picw))bWMvlFA<6v|)2>ZAt;8#Z}{(DbglX@JG z+0#2A%^InendZ`N#&Iu&R^xQMM+lwaZ%@NEU9;vxsY_v?wzNCPeZv3uy&)_+Y(?P+ z;58VI0TA&y(WL`yz?;W&>mo!%X-tp;PzNyb-}`S~^Jo_DyXXBPR0r-EpHf??$lHE2 z9{BB#lPfqaKn7_$jMo9~?(lcgZ~9U3K-b*3+V%xPLhD{-za?4R2rt$<70$y zj>tIdd((L0-TEU!UV@4FRRNZOZ@H7kT>mL2vF9;4Xbax8F>td*Pfq1e+w(f|p2&C! zD`ldA=)^?|=^&m&JujkwT`wNt`+`P$-ph@b8~PQ~8yUkg)dYYZEtI)t5e9fsz`Y}S zAuMu*2!wU#wBl!8irC)=WCB7c{Ev;GGJJqcAlUzbFk}}6+dd-mfUqzRe-!D1Eu}=T zYW!o(p?AKA-g|(uaF4J=yzj7^A_5-A07tL{Z(Y8`spOxzNi2MI7>ttuR|a37z`}qM zAvIDLl}C+4>|ptG@FtN9#4~(rnD>l12mcyzFw-vR)%y4{mBtnswC`6_E#893ptgrO zegXe>fvs8BgE31D)4|vYP>;~jnlpL^&HZTyXiU%*$v>St*f!A*_3VK7u}JDV@xg!)_4cz0WU4gBqR0QfiYqmoY6uldgM zyPTya;T{T$bR*1g0aF7kAv}Mt3(`$IGz}5B6e3gH!AYE^A){rw*>Kd2COzas|B}X| zCP8)+n1d#FP-E@!m-#ixAi_=)I6O~vrwhIU4?SD{=DPzj`rZ?o8hi?~ccW9JQQvcH zw;((r;duL9=0HyYqXo&a=y45Zd7mO@iEMcv86G(cCp!~9Fk}Vs-8ereu=)uP(nqQX zjWNg^VDU!{VvKK*jOOFdJtXU?qNms44Z`zeOrz%8?s=Os+uO+yh9*XwZLOZ)N7T)- zia@6auhye7-9b-H!0Y2^bXXS+R}!1P=k3T$uYlOceI$b`a7{AXDxMZlb$pOaLUCBe zinayVEcgvfGMo%?amf3iz~M>gwuK{jbr~^~*b*6XYz`8=v1#m$>wgNpmh6RbSJ3Z3y}T!0k&`^SZo&TkG- zc78vALXbip4IZW^b-6<8uJ2Dv{kVD^%*7QJ zky`+_O81m=Ytn1338T^G**HU)-Jmcfs_$%e6Ysw3CnQTH!A<-z5WQoDb*z{fN(U2G z`t;)45utEw_il6s-{V)7q$9PP)pNBbc50NXtxEGYammfeNHbVX%`;yG2!+6AqKYU$ zxQbELsP#A}$KD4_B!w(65BgJZ^$G`78XN%gDDHklwGfMoqyQKIOxtTf{%&H*7_71U zK(a8c7|!Psxv5JQ_togAC78iKCqW;c7VyyPTvf4!usNdt{o6W9b|c~+TYhgCrnm{> zq?0&`kd=NWht}dX@RT;r(!$pD2(XUgC#~A-nq_5R^T+TAeSD7~b#;-m$7}5l{LwXH zM<4MsAFoG_8*rpDCVus1f}G>%`X@fI16w3`ob#Za!3tUlbN6YBzOj#okQ_-zy&yvZ z(YB7wI+;E1=#$^g)S0<>NGZ>KDhX&KHNo#T;K*9E9wVg7=*hsOQ#Z>%eM6Yx_|i-_ z$icUJ#gB5jat7%F2bo9PTN~;iwK84>$f~ncz7(Q@N6l$hRLSNn0WMMBBV!5hcFmya z=Ylh{0@=pwLqgyJ(M4SGhQ=ar1;{ry*U3G5!R%p2g; z7N6_%c|UhMdiN|AICs`^%|89ypjw+xV;+4Pqh*Ek{PKOv`xpSq0sNa&ZR0gc8?tqX zTKH|89gp<)tQgqSf4989|J^7inzZ0HMM-&W@7G^jq&3njZ|HLYmc=$g5EaNWp$8Ta zPzT3a!Jy^pF~>%a`CJil2WdT5YRo(n@<RJWgOXA8>ab;L$k%#J`o)fBpp((1v?S z%fjB3xcke%+~vr_K^+x1y9{$IfUhgD_52%iQH^_DOTqJ{SpEyZ@e5s25xdX0q4}6S zkJlHyBnw%(H&hGh%D?uDm=|qZno608)1uLrU$tNC`Ee={BDZkd5o5duE(|m@)H=Mk&PBg zU3`F(>yeD+d*VZef(mira$I^E_#5aPQp|v+07nTBTm?+h2wn;g0VsXdgC0MBDM_mtug`7 z5y4or05oF&fbhRX`XP*_U=GdlmLHG?!oFtK>{FrfEWlesBsC7Y>~lj50K6?A^=KdT z)0keTjMG!jL06NEye+Pj9x?nIIz9EhQGn>kPsD{oZDJ3dW7^$>k63oYU&0>^L3!+h zK)O9RU!yPsmO=Ad;+tgvQELJld4nJJ%f&vzr6`P)Oh)_Z+jxX!!?lG*|L{W+PsV%5 z>9s$wi=kEwU57pI7d=U5V`BrjKD+Px6rIey5Z%Il<^{*HDOB{P_0Gb zPi?7`CeN&I)WHcMGBXZ?A=!F2cXr=|`rGb!f?sV6<(ml2kTrVIS7nu;855z01wJck z0hCEM0qT{6_!3e^)ad`AnO_Zy#tTb)2MW{ZLwe@@`2M@2)3-&5T2tFS!M%CAnLV6k{IGEb@qb!s zF|CxsQjvpIajEMD#*NE~K>EU9UK#buUZwJ~VLW*c2xpaj$jMZWMui10^hWQ#eruvx z3)Vr(W{Gwk3z0g+34?r7k!~_Kh>vqkOdpvz-OgOzxLxnsUB?!lw1tLk!TBX6*A-TuDh#Zn)6Aa(b(?lE-L`oIxj(`Xt&o~3XpM?a| zp1omlU)&xL@Q73^s8Z`qx-65+sHDuf3Gw~Kh}fARV#x~8*#LWX6WAJtD;N&2SF^b) z+%(!KVR%$I@R6S~-s+gw zq>oabD8&O#U_}<;h~o8|8Zg3hi;Mc9X46_K9-^huxXWs-35cI<$`1l}ry_!C(Q{4k z*_sz*-L}>~$Ybb66AI;myYB`DE%3``N`)k^2iMfi43T3nmNVB!qBWYW<7; zS6-Ds6SqkU+Ve&Lb)PDlW>MPmyM(uqb!h5lo~Lyd%N$-IE8^|omZx-v`AXEv`hys^ zr>#cTIaodvi%F;o)LJ5Cz>I1i>(9&-Ei(npkYAXs+21Gr*aAhs$KR}xbD)BEDhQ1Vt9*0!&z}S6NQ^6=DFRq!z^Oo?Um zHLWKhHwv{P5@j8INL$Ch+JdbdJ~QzK>coFgT@&wxdFrlz-B2&~%I|)J zrPz)*Ir)}9ti4Rrs0H9hyovKO#Uwi4cp@0?;TH05B#Z22!Mbd2&^g%_G&SQ|H}One zN7+RXCdS75QHU__s`!2Rl1Yf)>oEaY2j-8IooU-UbE3^zy2I{mQ60#*I>5Z;g=6$z zf6?B6|JMd zJwURLZK~oYAM$zXJ>BDRmXX9V!Z-WHK0|QS$ArfN+skwFwA|+@+fr#GYwTjLHpe=G zi9}kMy)s6$vQuKv>L4cJ1&!14gOaXre6d;6l!<;Xf?ceU_ME$9jn^a_AZvS#?rd^b z2*65)0k#<^ML6n7#6QA6X@>%hjcmXY7XTIHSvpE?=fH?h#x{w=CDCBK@3zD6_mKHT z_q()kbL6uA<~{GPj8bD9snBB9Mms1ebVOlrhq-dF31d1ZB=x4B)%04 zJF-TBa3yu)R>si;I4+XmV7bH(Ujq@DT#-Od*Srr?Wd^_xz6v%N99TZfAd=J^a0?Xx%FaFpVp`TtR}-7 zukPFn+-z==?f{Uz_phJk_tf3&e5mf-@U`=DQ+F@ennQ=GCbC{~)hiaSvV|XVZZPAV zgvy+f{P-G)j`;^m$%XAn5CpzB04gcOOWag)6II|4?xQ`CK$OJVDX@E=lRC;s@Y zVU#dzKFPGbW+Vtaw*|!q0ZRaqfq1D&%8^ZdR8MikzwdC+EeGaxb{01gf#s!Fk&K{3 zgH?D*W>kV|Mfk}?BdM?uAL36TVqvrkB|HK?lON#quizV4^~CAcUF5(=_sT>`#X|!>O8q*}Zk({o1-S#m=geahD>`TdjK5a<#?; zaP7>e-JJEb-Jx?Y8&R!V3gh420!#Y6BZA$HCrpsT1PxpJ>h+YIVopW7>LL+i@~os< z?;1@Yuz_f*O~?!T2dT_9`k%no_Ji)U8wD+NUn6I*nROrFG&WrFts;xkC2FF^1pH@C8^3Dud%RhO5GFE?zU7-hCZsb@n&Ky5YCV z@4PFDYno0Six{x1p_C&h^TKdytqHs=KU%=;_J?=xet3O!aeDN_@w>MwTbuja$?3cQ zIyyMt^M+Hnh`$&$r~JNua`O84VE-HjxHvdHIy`!Ne!TzsY_IefWd!rD76@x_L1cn6 zr^*?D9_DNX-tc^_9{xvVo+ed5@Cl|tFyfU+FplB*OBd+SPgoi2Zufsemu5Jb^Nan1 zgQK&viyx2vTeH`;miI;{BQ(E|vA%o=+DKJ2kZ2rq1W?-??gvpulpLqhQ@{ZZSo|xvzbsz*zoP{4r}axV(Ab6DUFR}?HizDln!*X zcj25l`~HYe#0vWN@EYFupiJ4p2~VmN7O6kv)l2L)GM*%) z8|SpTLj>^<UTK?&f^EQHLzzqMabt=r34%LEi3%q2)(vYe32lNq$ij zf9MnaWCs(qjNi~PiK@pvt3@IBQr6{#e;g4v4PLf`{^`w+nhi^d%oDt>n#?pdK0 zzo(dnxntZph=E^^_4_?z7>p16Qv^dUf+2r2Pw@+1O#H%;sHc@H{Mh8gy@mYD8zxv&pm7C|Z7}Bb+lw9LZWn;RCl0Xvo0_KL1 zR7GCQd3_6qUAW_vMqVrsKTx`w$Bkxjmrx$GfQEyS?Iq*(<>!lMrtCGgIRQsrW6lf7 znTT)rB)MOUbZF^hxW-m|;`h*k?PksE<}-Db%Kp~@ott>|c*-}`W=wRj0xCU&hz}~{ zx)xK>=uq?p$Z^2jC}RR8_r|e$O3C5p*qw3M{m5!J6iuc%Q?w)~!#f;tDv1;O|7FjGpF6ixg3>QNsbEjFxbT!O`)#0h`41)G7j6tldej}BiA~5 zCY(872+ePB2dvCejt)9gI!b%?Y|1(D(soYKd4LNWD1TbEpE;ftsggp=|EuCv=^^XA zu30Zj52=E^N<47NeQRdljVP;^b~(nAh5c}=E{A|q-Ht5ccXU0uW39R$`g#Fb=pKh_u+7++7uo;5V!8Pw$Bz^Z~!~;}cBEHVQ7~u6YxA z(Y1_ZbkzW!#EVdhc@b1(bPs-2^>~nmyRL9DknxC6s{>KR*tpuB<$t-B3(w#l+WX*& zOkHF#E3RNol}^C@l4*f20w!?oMaIfo*|fK4Qyp+q1DEH$$`NM8gvemVZ*e%Bj5v7? z-2+{;afW1HL+|kIneCZC9;%~WD~Yc{l}88#V(-e2@Vb(A{!aK(6?ErP^J?C~4jUqc znRBqPs{>}FG_1&Y&_&hjlbKmrYT8Ld)QG_a^r?Cvaf0eE%-kAt=qab(F{UGv4Ue7l zCVqr;4j3s*L9cfFZWyYdkupWecKfI^MSpCZ>=wvja3dxp3|;Pp-HhA^ zEjJM5Po-r6Q$0zk5y_P})xkk{ng%amh!dqt^#1g1r@gt=7USp4Yk8hp+d-8`Io4(I;G2_BxrASMvdKR#fIS60%Kk*Su@V7g!xRqEV*Dql?+DIF+^3RQ*Ezw#x13FT-6g1Y%gqwq6csk zuPxVfyd#Q3i%^9fh5UqH19JUNa4R)Y=+42Nsf7-5!9p;kOsLu{toSMm2a@mBpQ#PE zBr46$pj~WIiU}qaiJ{Vymgk_`Er*lVv4)oO~)Hi`zkqpr?5z_c*dDLO8kz_ z>A_3EwAgZL(VVeHV8D=%34c*nQ^?jCZ^<&l(j|s+d7)JG#fx)kcR}ew%%0*HPd*&b zc6)xt*(_4vtuYAP9zp|b(STYT_DE8Ri>*EVTm6{@hznyg;8;J zXZ%yOqUbFAn-03iZAmN?>jB_5)Jy*mN@GN{l8rc!uq5oGAe+pY$_3W4Z8p`?VL{6O z?ya2(RMyXmVD|b0W))r_+1o=&yD5>titreYMWJfhtVarCrOKeM4kV1$_%-iyK=T`X z`?+Pn`6K+AfGiE#uvt-GVQ1{S=OIb^2}4ufjk?96okd-&9-~w@^txOVtvW?H_45hx zqxkMY&LlH4?mZlOE6`yTNEH5p_hqs&-^EH-nLl8xr)MK~7bkD&X&VJQj_JV5rPZFQ z_QuqLTp_+C*6jB1l+mJY{c_gzBj<;OhF-#(_kp=$t9%q+qcDs2Zc=wB`F_o~q2V9M zbFkkP{$+v~8Y1Od&@5iBT$WQ!s3tqt;MBg?_jYRf{A;Kte z05VK0j8S2mhvWN(j+yO6W8yV7Y!rqH$}yjq@02RF0Ai9tN| zKJ34LeSUFx^x@+4-MjOP^LIZUy}dX-WQLR4!62BN_Z({>!9z*l-_5d{<+LVIJPMo( z4&8({xpdc3@;vPGO~fY3i8LmxpkqVZFb^>1m4l$we|QfN-`Qe7>e0GM1eh?a(+4>bRwoGNPsNIu`FWoRcNsGU(HZBD7l9NOCXX8fRIjd<0%s zl?m#sS-I6!tGt)7V>N$u@Vc#z2qbyb4wi)Bl0#-j^@0H24wQpsidB+ROtnvDGHW}^ zRSYAuf#c|vxXEZTC(6`nA6ui&RBbsIns|KzV3n4nO#_|0p~l-rnFPmJ|M(JPO`;+C ze?LPig+T`!67uW?zrjwUB0FW_X}k{{MIwB z7E1Z`t=If{Z|~20D6$!!Fwxdrl(g!YR@y{48KI**;y+FfqsmK5HlP)q!klZ<7fY0{ znlUq7j{NV|MENN$WQq%!;#)Uo4s=m&D(b%qr3el&gOkhgw{_HF2$O7M3srW|t| zrV=TjJm!_w^oKY`v~m!|lb-kEn=_N_4F~)Iz9Fi_L8^Yl+BxzWU(+f?r5CmH*5v94 z=n=KY1RPYHQ2Kb2k?Dtn6Iz36jSKaf*WGdV<1jVHLC!?%l|g@hD~^XP1l$%9e5)a* zrhr3G4cYJCZUEc6Af#9riBGEaF|nI>lj%5%FECMEMe|^)+b?uCx_G?>a|$>C?@$&) z?xhc=2!GG)O7|C9YPp~w7g*=kMr!Rs9@~ZTj8qTRUUr_`zS=ir7CBwco~S`qs3en8 zDVRV?4aM=hGE+D33~5Cwd2G~Iieq9ga!I8TVwIAzQ2QqfXb(1&3{@5P3G21c~Vik2{=GuY8;hIAfFx+qinFl=cB zV|pjn)M8F87SrNT@h!QBHiJiXhhWz5!buv|v`R-?u1}9CzcL!s`~=|CJWHYR(vvXx zk0?wQq_i$UOqrZ!WD3Aq$^FT{m3XvE>x8a zo=g0%uQF4SGJQ=$2D^8lkE0h$)_0Fot+Ld7jR}(#?NIwYm`ayUZ4%`>nkZd?opr$W zp#+XME-G`aii(a82#iP$Pb_vka}#(2Ev7e8UIj&E9J4)s^HnVkCADpP{BOsj;Czs; z^I0g5IZ3s^g2uTxBaso2rI=gs5~<3D&qKlAs)T0G_OB4pQOlGx=*X>+aG)%>lC1&j zFLNdVBYOE%xH9-O4mq_6o>#%4MJ4x?aVdU{PQBCK+-`3;d3@9z>%yNTAe(BFUf@$$ zhkG=Z(nKb)hD4iD5_BnyyO+u-z^x=%3-b^47-;+7ot zwSq=XuK63ON`em8i`5>;`KQpf*PqFDTe962Em);wR4kkWplyK%mG2KW17Hv5`W(Rn z^H-SU@y2KlT_)0law_Tf}V;f#z~W_^RtXGVG&oUcaquUR5niClMk&2kAhG<7j0C{EwSfbjblxA2Bs_R*mjP`l`@vL=}!f;N{Ng?V; z8Fad`G*|sLEz*)T2_MKY3v0Rv?AOrnYm-4-9UsR*6McG^KSyuRVfhqOLnXS#QckAh>h8m|@dY%Rcbe(Fq{5(nut!DpKkFabps)*V%c3zTPZB-1;Ne155=X06U)KYuvm)CMK?7kuWYnQAl%6 z!5X574mjJK#9J_1)kd;Q<4BgHHJzx1s2e&W+wSa5H=4=f4$*m!22xQ)-Uv)DA zU!JL?*ZlrgElCrX$h#_NbLaT;D<&}KSxl}8a+g*d9y#A|^sEk*Yp4ie`sO5-6gO&q z>wtmJ(?J$Z^ONzQ7FR8GD2^X0?pm#gre%ctEFsuueyGpG2l~tp^LZ9oJ31r9)G2|3 zdRr}%Jf^d2zH7gDiO+azeQT4?+#cunWN+aVCX-MdT|)~CkDI~7SwVqgR7Dok7K!t% zZW^|Fz}*B%OWYO`R+~5AmugBcw2&l|g@*HbelWyDwV9#*x&Wn&rqEK=knqFUM->5L zPB9)lE33j_K(CdC*XerIfX`&&7R=hJYNVI@lM=IJHTYiCCQThmqZcFliB>$(;9L_! z^a)IVLU`?dqArhH?_YCiEv}}^Orsi=G+pU*)P?q#ZO52nCXA2s3KLQz$O>>c-HH)~Tk%xajVdV>&A;ST z|60>rt$filepc0sS;Y+Hp}H!TpvgG9Lh4t_NT_dgY;Kf_2{6i(FH_3&+N1(;hHRBk zEZspJA>w(Ig7oC{{YU;56)`gMjh|qi)OGpAy@4vtXA$+ABe|y@6bAJw1})cz=9O4> zaR}og=PJI$oH%2yyXjLbtyeV&>lvx~>*oYxSinrpVO3I2X9wl?y@bS^IBGsMXK8Xy zY*>|^ldkxlxjAdeF7>i=T4wsalARbm4`!rkaB)esKdWoQa4 zO_8a|GbE}cw!^tdDeXLOvv}Wzw(q+6N#$A2Oio&EVgEfE8}Ir)mTG`>p2`B&NV?kh zg{q^uqF#2Trgo#eIN9&7md{gBuUSRC46syJ^}=yV%6dJ4%I_ak8pg{3vp`%;u941gQ%&`j#| zjXp~ndqijYk$;^pcZvMQGm{fTDZ#p!L!`@&USdO}G86HHOt<9UsQo$RFty!Nyn0M% zxh`MPBY%-g?MV6eUoVOG_#5hk8qX{hq?=#b3d-|g_*+v}M$&@n3cZ(7*#%)l%zx~| z`KG4xtpQkxcCP;3vjA1uf=ptHqOWY*JD4OGgNOQQx(P~H z>h)COI2nV6wcKDOgh{#QD3{n^)T09CYv{yJW-7`{T)aW$@}=&gA%Yd%hwI61E}Rus zu1hU3cZ^K(sTlrPJgpUd zJa>UFR*u?V<57Ig#~`){MXQ1`^q`Whh3vFK1dqU#C@fM0+tAaSa4;&mm%%^>v)=_o7E?=PR-Lkroy>GA^VnB8EGxQmqh2M|G3dwDW~$75k7{=zG?S6BV6! zzBuWs5pUlh?azesupUF&P5g17QK&Fw+yPSr>Qg#rrX(NrCjEJK`nNR1q)gP=Eb(*_ z1-kUdvY+JxJ-fG)`oR7r;0HS)(Go7ouDG`(GzMkisbVwz<*XX|9<9Io~#iQ~gKt zSMN_azddpv)s{O$`>V*Q2KG#yH7t`GSk?`aFG}K2M*g&(r7W^YnT8Jbj)%PoJmH)92~)^m+O`eV#u5c%T0t Ls1SjK0N4Zo6jePG literal 0 HcmV?d00001 diff --git a/hashicorp-vault/values.yaml b/hashicorp-vault/values.yaml index cb1b769..fa73a06 100644 --- a/hashicorp-vault/values.yaml +++ b/hashicorp-vault/values.yaml @@ -48,4 +48,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.6-ubi" + tag: "1.16.1-ubi" diff --git a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 0f2218b..74212ee 100644 --- a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 0f2218b..74212ee 100644 --- a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 0f2218b..74212ee 100644 --- a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-naked.expected.yaml b/tests/hashicorp-vault-naked.expected.yaml index 68b5a89..1fe2cd9 100644 --- a/tests/hashicorp-vault-naked.expected.yaml +++ b/tests/hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-normal.expected.yaml b/tests/hashicorp-vault-normal.expected.yaml index 0f2218b..74212ee 100644 --- a/tests/hashicorp-vault-normal.expected.yaml +++ b/tests/hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR From dd6be56971f161e47bec55f5aeb5863eac9873be Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 16:19:43 +0200 Subject: [PATCH 59/64] Use --recurse-submodules when cloning In case a git repo has some things split over submodules, let's clone those too. The version of git in the imperative image is currently: sh-5.1# git version git version 2.39.3 Tested with: sh-5.1# git clone --recurse-submodules --single-branch --branch main --depth 1 -- "https://github.com/validatedpatterns/multicloud-gitops" /tmp/ Cloning into '/tmp'... remote: Enumerating objects: 426, done. remote: Counting objects: 100% (426/426), done. remote: Compressing objects: 100% (343/343), done. remote: Total 426 (delta 87), reused 221 (delta 40), pack-reused 0 Receiving objects: 100% (426/426), 545.98 KiB | 1.78 MiB/s, done. Resolving deltas: 100% (87/87), done. Co-Authored-By: Sergio Garcia Martinez --- clustergroup/templates/imperative/_helpers.tpl | 4 ++-- tests/clustergroup-industrial-edge-factory.expected.yaml | 2 +- tests/clustergroup-industrial-edge-hub.expected.yaml | 4 ++-- tests/clustergroup-medical-diagnosis-hub.expected.yaml | 4 ++-- tests/clustergroup-naked.expected.yaml | 2 +- tests/clustergroup-normal.expected.yaml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/clustergroup/templates/imperative/_helpers.tpl b/clustergroup/templates/imperative/_helpers.tpl index f28b566..d55220e 100644 --- a/clustergroup/templates/imperative/_helpers.tpl +++ b/clustergroup/templates/imperative/_helpers.tpl @@ -65,7 +65,7 @@ OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; {{- end }} @@ -109,7 +109,7 @@ OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; {{- end }} {{/* Final done container */}} diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index 84d4eaa..f34b5f1 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -408,7 +408,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index d815842..6641ff7 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -569,7 +569,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -668,7 +668,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 4449986..a61ce54 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -496,7 +496,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -595,7 +595,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index 13e66fc..fdaf429 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -261,7 +261,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index 0cb1cc3..93f6892 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -458,7 +458,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest @@ -557,7 +557,7 @@ spec: OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest From 60600dc8b27b64f14040af3a2ee4ed191f83229d Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 17:55:34 +0200 Subject: [PATCH 60/64] Drop support for IIB on OCP 4.12 The last job we ran with that for IIB was more than 4 months ago. --- ansible/roles/iib_ci/README.md | 11 ----- ansible/roles/iib_ci/defaults/main.yml | 4 -- ansible/roles/iib_ci/tasks/main.yml | 12 ++--- .../iib_ci/tasks/mirror-related-images.yml | 18 -------- .../iib_ci/tasks/setup-external-registry.yml | 45 ------------------- 5 files changed, 6 insertions(+), 84 deletions(-) delete mode 100644 ansible/roles/iib_ci/tasks/setup-external-registry.yml diff --git a/ansible/roles/iib_ci/README.md b/ansible/roles/iib_ci/README.md index 98355ad..251123f 100644 --- a/ansible/roles/iib_ci/README.md +++ b/ansible/roles/iib_ci/README.md @@ -64,17 +64,6 @@ use that. Run `make iib` with the following environment variables set: * `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` * `KUBEADMINPASS="11111-22222-33333-44444"` -### OCP 4.12 and previous versions - -Due to the lack of v2 manifest support on the internal registry, we use an external -registry. Run `make iib` with the following environment variables set: - -* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` -* `REGISTRY=quay.io/rhn_support_mbaldess/iib` -* `REGISTRY_TOKEN=:` - -*Note*: For the REGISTRY_TOKEN go to your quay repository, add a robot with "Write" permissions. The robot created will have a "username" and "password" fields. Set the REGISTRY_TOKEN environment variable to that value. - ## Useful commands * List IIBs for an operator: diff --git a/ansible/roles/iib_ci/defaults/main.yml b/ansible/roles/iib_ci/defaults/main.yml index 7605dba..9873e07 100644 --- a/ansible/roles/iib_ci/defaults/main.yml +++ b/ansible/roles/iib_ci/defaults/main.yml @@ -1,10 +1,6 @@ rh_internal_registry: registry-proxy.engineering.redhat.com iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}" -external_registry: "{{ lookup('env', 'REGISTRY') }}" -external_registry_token: "{{ lookup('env', 'REGISTRY_TOKEN') }}" -external_registry_email: noemail@localhost - kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}" internal_registry_ns: openshift-marketplace diff --git a/ansible/roles/iib_ci/tasks/main.yml b/ansible/roles/iib_ci/tasks/main.yml index ba6eb7c..bb50f28 100644 --- a/ansible/roles/iib_ci/tasks/main.yml +++ b/ansible/roles/iib_ci/tasks/main.yml @@ -21,15 +21,15 @@ - name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests) ansible.builtin.set_fact: - use_internal_registry: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + ocp_413: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + +- name: Fail if OCP < 4.13 as we do not support it for IIB testing any longer + ansible.builtin.fail: + msg: "OCP versions < 4.13 are not support for IIB loading" + when: not ocp_413 - name: Set up internal registry (OCP >= 4.13) ansible.builtin.include_tasks: setup-internal-registry.yml - when: use_internal_registry - -- name: Set up external registry (OCP < 4.13) - ansible.builtin.include_tasks: setup-external-registry.yml - when: not use_internal_registry - name: Install new IIB in cluster ansible.builtin.include_tasks: install-iib-in-cluster.yml diff --git a/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/ansible/roles/iib_ci/tasks/mirror-related-images.yml index 32a36c0..bf7356d 100644 --- a/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ b/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -91,16 +91,6 @@ 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" loop: "{{ all_images }}" - when: use_internal_registry - -- name: Create dict with full image name+sha -> mirror destination (OCP < 4.13) - ansible.builtin.set_fact: - image_urls: "{{ image_urls | default({}) | combine({item: - {'mirrordest': mirror_dest + '@' + item | basename | regex_replace('^.*@', ''), - 'mirrordest_nosha': mirror_dest, - 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" - loop: "{{ all_images }}" - when: not use_internal_registry - name: Create dict with full image name+sha -> image key without sha ansible.builtin.set_fact: @@ -124,14 +114,6 @@ src: ./templates/imageDigestMirror.yaml.j2 dest: "{{ iib_local_folder }}/imageMirror.yaml" mode: "0644" - when: use_internal_registry - -- name: Template out imageMirror.yaml (OCP < 4.13) - ansible.builtin.template: - src: ./templates/imageContentSourcePolicy.yaml.j2 - dest: "{{ iib_local_folder }}/imageMirror.yaml" - mode: "0644" - when: not use_internal_registry - name: Template out mirror.map ansible.builtin.template: diff --git a/ansible/roles/iib_ci/tasks/setup-external-registry.yml b/ansible/roles/iib_ci/tasks/setup-external-registry.yml deleted file mode 100644 index a9a9b10..0000000 --- a/ansible/roles/iib_ci/tasks/setup-external-registry.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: Check that we can push to the external registry - ansible.builtin.fail: - msg: "REGISTRY: '{{ external_registry }}' and REGISTRY_TOKEN: '{{ external_registry_token }}'. Both need to be set" - failed_when: > - (external_registry is not defined or external_registry | length == 0) or - (external_registry_token is not defined or external_registry_token | length == 0) - -- name: Get current cluster pull secrets - ansible.builtin.command: - oc extract secret/pull-secret -n openshift-config --to=- - register: pull_secrets_raw - -- name: Add external registry to pull secrets and set auth fact - ansible.builtin.set_fact: - pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" - external_registry_auth: "{{ external_registry_token | b64encode }}" - -- name: Add local registry to pull secrets - ansible.builtin.set_fact: - pull_secrets: "{{ pull_secrets_new | combine({'auths': {external_registry.split('/')[0]: {'email': external_registry_email, 'auth': external_registry_auth}}}, recursive=true) }}" - -- name: Get a tempfile for the pull secrets - ansible.builtin.tempfile: - state: directory - register: pull_secrets_tempfolder - -- name: Store pull secrets in tempfile - ansible.builtin.copy: - dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" - content: "{{ pull_secrets | to_nice_json }}" - mode: "0644" - -# We cannot store the logins back in the cluster, because quay.io would be overwritten and not have -# access to the images openshift needs. See: -# https://github.com/moby/moby/issues/37569 -# - name: Update pull-secret in the cluster -# ansible.builtin.shell: | -# oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -- name: Set Mirror URL fact for external mirror IIB - ansible.builtin.set_fact: - mirror_iib: "{{ external_registry }}" - -- name: Set Mirror URL fact for external mirror - ansible.builtin.set_fact: - mirror_dest: "{{ external_registry }}" From f50deb9c11090b2dffbb6da07431eb560cda671b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 18:08:17 +0200 Subject: [PATCH 61/64] Stop saving stderr in a file when running skopeo --- ansible/roles/iib_ci/tasks/mirror-related-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/ansible/roles/iib_ci/tasks/mirror-related-images.yml index bf7356d..16b386f 100644 --- a/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ b/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -33,9 +33,9 @@ right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') - if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" &> /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then + if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" > /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then echo "{{ image }}" - elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" &> "/tmp/skopeo-${right_log}.log"; then + elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" > "/tmp/skopeo-${right_log}.log"; then echo "${right_base}@${left_sha}" else echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" From 5702167854b652b95f917b53a12d5aa858932650 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 18:36:29 +0200 Subject: [PATCH 62/64] Rearchitect the code so we can print out the actual error --- .../iib_ci/tasks/mirror-related-images.yml | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/ansible/roles/iib_ci/tasks/mirror-related-images.yml index 16b386f..f502197 100644 --- a/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ b/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -33,13 +33,24 @@ right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') - if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" > /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then + left_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" 2>&1) + left_ret=$? + if [ $left_ret -eq 0 ]; then echo "{{ image }}" - elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" > "/tmp/skopeo-${right_log}.log"; then - echo "${right_base}@${left_sha}" else - echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" - exit 1 + echo "${left_out}" > /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log + right_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" 2>&1) + right_ret=$? + if [ $right_ret -eq 0 ]; then + echo "${right_base}@${left_sha}" + else # both left_ret and right_ret were != 0 + echo "${right_out}" > "/tmp/skopeo-${right_log}.log" + echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" + echo "Printing both outputs:" + echo "Left out: ${left_out}" + echo "Right out: ${right_out}" + exit 1 + fi fi register: all_existing_images with_items: "{{ all_images }}" From 109027c4330d1e59032cc8042f88e3d22077a2cc Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 20:55:18 +0200 Subject: [PATCH 63/64] Check for prereqs for IIB --- ansible/roles/iib_ci/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/roles/iib_ci/tasks/main.yml b/ansible/roles/iib_ci/tasks/main.yml index bb50f28..6500b13 100644 --- a/ansible/roles/iib_ci/tasks/main.yml +++ b/ansible/roles/iib_ci/tasks/main.yml @@ -4,6 +4,14 @@ failed_when: (iib_image is not defined or iib_image | length == 0) +- name: Check for pre-requisite binaries presence + ansible.builtin.shell: | + which "{{ item }}" + with_items: + - skopeo + - oc + - podman + - name: Set IIB fact ansible.builtin.set_fact: iib: "{{ iib_image.split(':')[1] }}" From d4383b9fe8fedfa1e1f1be199b13d5e059f2ccd6 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 29 Apr 2024 10:26:00 +0200 Subject: [PATCH 64/64] Update tests after common rebase --- ...-acm-industrial-edge-factory.expected.yaml | 11 +- ...mmon-acm-industrial-edge-hub.expected.yaml | 37 +- ...on-acm-medical-diagnosis-hub.expected.yaml | 37 +- tests/common-acm-naked.expected.yaml | 11 +- tests/common-acm-normal.expected.yaml | 63 +- ...roup-industrial-edge-factory.expected.yaml | 55 +- ...tergroup-industrial-edge-hub.expected.yaml | 100 +- ...rgroup-medical-diagnosis-hub.expected.yaml | 113 +- tests/common-clustergroup-naked.expected.yaml | 51 +- .../common-clustergroup-normal.expected.yaml | 90 +- ...rets-industrial-edge-factory.expected.yaml | 5110 ++++++++++++++--- ...-secrets-industrial-edge-hub.expected.yaml | 5110 ++++++++++++++--- ...ecrets-medical-diagnosis-hub.expected.yaml | 5110 ++++++++++++++--- ...olang-external-secrets-naked.expected.yaml | 5110 ++++++++++++++--- ...lang-external-secrets-normal.expected.yaml | 5110 ++++++++++++++--- ...ault-industrial-edge-factory.expected.yaml | 22 +- ...rp-vault-industrial-edge-hub.expected.yaml | 22 +- ...-vault-medical-diagnosis-hub.expected.yaml | 22 +- ...common-hashicorp-vault-naked.expected.yaml | 22 +- ...ommon-hashicorp-vault-normal.expected.yaml | 22 +- 20 files changed, 21279 insertions(+), 4949 deletions(-) diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml index 2210b4c..0291231 100644 --- a/tests/common-acm-industrial-edge-factory.expected.yaml +++ b/tests/common-acm-industrial-edge-factory.expected.yaml @@ -89,6 +89,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -100,7 +109,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index f962777..21a1c30 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -215,19 +215,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -236,18 +236,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: factory + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -296,6 +296,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -307,7 +316,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index cea5a1d..40df35e 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -206,19 +206,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -227,18 +227,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: region-one + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -287,6 +287,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -298,7 +307,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index 5ba9bd6..4f0ac75 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -90,6 +90,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -101,7 +110,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index 55553a7..20a38d5 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -609,19 +609,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -630,18 +630,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: acm-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -705,19 +705,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -726,18 +726,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: acm-provision-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -786,6 +786,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -797,7 +806,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index ac58a28..6c86971 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -181,6 +181,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: hub @@ -191,6 +193,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -223,6 +235,15 @@ data: --set clusterGroup.name=factory --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-factory + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -352,6 +373,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -363,7 +387,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -371,15 +394,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -412,12 +437,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-factory + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-factory restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -520,13 +545,15 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -684,6 +711,7 @@ spec: - manuela-stormshift-line-dashboard --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -694,6 +722,7 @@ spec: - manuela-stormshift-machine-sensor --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index 71bd33a..fe0bdbb 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -342,6 +342,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: hub @@ -352,6 +354,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -384,6 +396,15 @@ data: --set clusterGroup.name=datacenter --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-datacenter + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -513,6 +534,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -524,7 +548,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -532,15 +555,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -573,12 +598,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -608,6 +633,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -619,7 +647,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -627,15 +654,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -670,12 +699,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -814,6 +843,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -877,6 +908,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -931,6 +964,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -985,6 +1020,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps", @@ -1069,6 +1106,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1123,6 +1162,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1204,6 +1245,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1228,7 +1271,7 @@ spec: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1386,6 +1429,7 @@ spec: - golang-external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1396,6 +1440,7 @@ spec: - external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1406,6 +1451,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1416,6 +1462,7 @@ spec: - manuela-tst-all --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1426,6 +1473,7 @@ spec: - manuela-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1436,6 +1484,7 @@ spec: - manuela-data-lake --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1446,6 +1495,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index 209404a..d7d59bc 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -301,6 +301,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: hub @@ -311,6 +313,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-hub + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -440,6 +461,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -451,7 +475,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -459,15 +482,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -500,12 +525,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -535,6 +560,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -546,7 +574,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -554,15 +581,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -597,12 +626,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -699,6 +728,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -753,6 +784,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -807,6 +840,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -861,6 +896,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -915,6 +952,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -969,6 +1008,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1023,6 +1064,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1077,6 +1120,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1149,6 +1194,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1203,6 +1250,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1257,6 +1306,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1320,6 +1371,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1383,13 +1436,15 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1521,6 +1576,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1531,6 +1587,7 @@ spec: - openshift-serverless --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1541,6 +1598,7 @@ spec: - opendatahub --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1551,6 +1609,7 @@ spec: - openshift-storage --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1561,6 +1620,7 @@ spec: - xraylab-1 --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1571,6 +1631,7 @@ spec: - knative-serving --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1581,6 +1642,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1591,6 +1653,7 @@ spec: - vault --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index ec8099f..fdaf429 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -76,11 +76,32 @@ data: syncPolicy: Automatic useCSV: true pattern: common + secretStore: + backend: vault targetRevision: main secretStore: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: common-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -210,6 +231,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -221,7 +245,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -229,15 +252,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -272,16 +297,16 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 83bfa7e..4daddb8 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -263,6 +263,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: hub @@ -273,6 +275,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -402,6 +423,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -413,7 +437,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -421,15 +444,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -462,12 +487,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -497,6 +522,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -508,7 +536,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -516,15 +543,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -559,14 +588,17 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +--- # Source: clustergroup/templates/core/subscriptions.yaml --- --- @@ -663,6 +695,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -729,6 +763,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -975,7 +1011,7 @@ spec: - /status --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1097,6 +1133,7 @@ spec: text: 'Example ArgoCD' --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1108,6 +1145,7 @@ spec: - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1117,6 +1155,7 @@ spec: targetNamespaces: --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1127,7 +1166,6 @@ spec: - include-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml ---- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index d1bf40a..dde550f 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: common-golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: common-golang-external-secrets-controller subjects: - name: common-golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: common-golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: common-golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index 0c569a2..a0ad351 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: common-golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: common-golang-external-secrets-controller subjects: - name: common-golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: common-golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: common-golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index 0c569a2..a0ad351 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: common-golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: common-golang-external-secrets-controller subjects: - name: common-golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: common-golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: common-golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index 99f0d5c..3d54dd6 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: common-golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: common-golang-external-secrets-controller subjects: - name: common-golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: common-golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: common-golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index 0c569a2..a0ad351 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: common-golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: common-golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: common-golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: common-golang-external-secrets-controller subjects: - name: common-golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: common-golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: common-golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: common-golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: common-golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: common-golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: common-golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 0760b39..9838c4a 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 0760b39..9838c4a 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 0760b39..9838c4a 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index 58a8889..e6933c4 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 0760b39..9838c4a 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: common-hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: common-hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: common-hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: common-hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR

&S1-(Ff2a^>W2X(Pq!sAOA}y-h*45Y4c#;0zn#Dxzl| zobi6OzU6=m$e&jZt?V@*bUD|=P{yC{q*ZaZf`X*<5Ua5%qhNsygMw$}s?dpeAJcdo z?|j+bP9sOz-TV#B2&_|EiY+X{D(Uz9c-(dS0Ou>afNvvn(EwsG2h%Nx%a*8@Mwkzmq)%W`qCQ*>=P~>%@f=%_ z(WihA525z^?z3#QEkC4e9zb;#UyiVAtd~oXmHvD@Ya=A0HS<`h&8Pw{@zcq&(qmjU zZ-WS-rb=M4O3pEe&BQhJ{0N(gF#U0m7T09tC&6Jpp;!pmCUPO7r^K9 z>(f;U1K`*;+pbe7c@tF{p{cyb@l4H+T0PcL3(?f@# zi_!cJ(&m1*eI%C>$l}BM-C0T%N6qV~VpQ&DF_WDdafQg@YQh}FfZaJiru66Rs6)S9 zgi|7!1iE@(!MC)(`w9@KaHWQo_y!~OYj*PPiaj#X{WI63AD zJI5M8d#5+?x!bN`17P+vg?uY>NBsJ-x(3kU+wf!@ghjDzyY3AF)L*N^xb21tALy9| z`2hrbw?<_W4uNY;3Q~Ge!?5jxPaJx3sy+U>(1_yD`i9k`9%aup`oe6c7SfD!?l?ng z=YmwF(aAIOAk)2c82~1(r40br`4HgMZ)nWV@BI7O_JyFX`-W%i*NbaW2WcUa1l}{6 zkap~tj_v04jArchvF(J&nQds~*WnFD$rBTq%R=#it5^v~)S5B{9^_|x@i&0riK=Jj zCSuEpP+@0WO86mG?-z;mwU4jJDfXeEhkn)STY|U1KgXPF7ku0(2nvc}3|kOcZ*h8t zM*a%r0OQH0jzl=ie{l3tm)>JV90&Iuzh}DowR_kMS-|_A$>8uA6wS$*C6=EfLxqhn zJM#d8pVlhU`w}$}#uhgBaTFx$TQqB)N7gxMT&}Ux2ASR@Go?oGby{Eq)MP?Eu z(#DfK(L;aa77b?(nZ8vI)I}d}0+I+a@E*=-iPuNmJ~zB>XezWrOm?myx{ay-88=Fmrb(}tY4JxSER+A~PDIq0w z4WvD@@{Mm8e5XHpkzOrpO=Z5D%Xx&1hrxTw6uYexwhN`Dq@f3u%q@5k?THc$+_msw zo}vBqYl`!-fwFf-V-Cdy*x74@E$P&wq?x$)tTD%py(c|XoJ^tW1E=MX z&bB57ANoYxJ8G^m4A!in`jDAXB+@}rXv1nKM)Sy9s5a!W?}MN|XwXxHU-?e+_7KCl zHFLRmuUHQPd#*8uohl{qbt^UahnwvzaK^{mrv6}G*Cw( zWjRrIK&&`r1ruqyDqf0PD$%qQxsjoVAy|lgix&$(DH3Ab zu(QWkp=`L2wVd+H;_dLQM1q;a#=Fq^xV>!w^P*X&0n?`pPQ>;@VGD3Ks`o&1P*78K zh869`3|+9SQHppzUec_$Dm)++71}bGvYz<}p#%b5`GY{=`9|+6lJ3*%te3H$mSZwB zL-dx|(8l`!_^6Qb-MA-kfhw&J)L1qUbmrb(=@6X2Z;S`VIcoUU^-?ISj3~}|TKtK4 z_lLU|KMc-&z{YwzLvu7aV*b^)4*_xAjMh0QQX?s++&nY2W65i_a^Gw}?letdqdT1d zFMDu;K(ImHmYY!;>KWd3dCs*p%ZxvC7vYKiL9mtE?nZFAb;xs|MDTz?Ua z+&;nnioXUjq4ib!O~It<43`hK#L_Z_&NJx1J3%n$XpH7nf>-fZA_hpB-VogVarPyU z(BRDsi0UpV+2|n{CFuZ4l^K_r*b(_7STjt2qX+uRV?wBxEeR0zc+X3-6nBN1$GU9i zd9B{@f#6Goag=?$NJY$+>hp3+0Xu}X((HxY1IZkS(y}-)EX#u|ZTAC_T8ynBkk+ z?^MloE5PCoXr!LuEU5EO%^Op5g&gxZ<19%h3&0tM?ZP5Q9R;2d?+8sCq40$qmcAZ< z5e+DOJz+Z0mL|ktlc!em2dVlJ$BKpLn;zX4!42hNmb%v!&O$)5;R2w1nD~ers539;k_sXzBd%2nid_B^cw#7L zvtBbp6^?V#REwk5>uU@ZH0>H0Qx%M<&ZS-7(nZ12yGCW53I*vPefRLYqxl{yt@zE@dYcU2r(3fkeaS0!O%P9igIMx zUkBN*t4XdqkMTGn0#GyLf5LoHF-ijGFjsWbOtnFHJ6Hj%N?d3&{g9^Qu18crTK1J1 zoz}9vOxR2yt!$petIN4YJ^A3Ut{GtRkYAIgE4yFS%hR0&bcOa7(Thjg57HXIf%AzE zgy}>mhrvGjQMyVHhFp(8Iv=!8%SuR*E5mS%Sf#e+`mx>>Vz;aT>rLflf_F@mS{rJy z?y1_URZnHEn8KPsYq^wB2fiClNl1D^4`hklOLTZ+jTR7AxT~otdlyLLfOAo-3r7sR zCr^Y&FO&SC_X>B?3#9drd&)pRi@KRKaefvP;9>L)hh57P8VtHb?$B_hyHOj`C;}IV zMyaJWjsud0hueFJK1rnxNwJ9XD#D;?A}tEQR?XeLSJhFN^O^2YYbqxqV-urSS0bg; z8ERTcuad-90dmb+iZV6U+0WzSI_mTmb`&=VSrIN_mgY9B2td4oM?DfpAtrE&_<4${P;@q1XROzx4y>8U z8vvxHh``Mxg$^>>{_K;-9dc=UadZJVkcMtvbWm&KdUn92W@Q1(S@<E$3%1T+6>MBcjDXsTzS zDgE`3PyUmb+9xr!Cw1$L))3MB+cjwgPyoAT{6a`6xp-b`L7A)p;#oK7Z3k>cc-4Zd zm`Jk#vZpWjIg=lO$(848%A!ZaCM5WSf5n*&dC3RK~#2VuhYZ*-CDUet`!uk6#g7(-Hp~yO=U8uB1aH>giGoF zSOI2%ol%t^2SZqM7+m;xE1pQULIaJ#RDt%P_I2uy*fJQpaUa9}R{XKj#2_H_VA^c5`<&X9jHv`_+9-W9^xcauR`GU#A^O|qbzBuMs znRn11B={WLfuJXksBY`8@io8Mg6hzv<_1o@s>#z)GBdqgD?L3HEDVgE`b&oVdU*4M zIFJHjrakBCBDI$iD1|+Jua3Dli-9bntRUH>!pO)=1ESw=KLtg&*+^e#>+=b8 zw1!sW0k?1)>#cd>G=T^iAzrd%xdids*YM)#^iAz^*5g=no{&GU{bKZ#iP;1(%BeTeN&5PT`2Y*EuWPkTJ4F= z=(C1hD6-4dCL~~MxRZ_;aqHSh<|aFns4ksMcWv=fc4Wd^8-AsWDNjYmwYY&MroDzN zBDN;JH6aVVdtmCT<{oJWm!ave5Cuq6?mm5SATa{p?lLpOFA)N{(9Nb6Ko$FYCswJJ zTm<%B?CYYrcXD6PJ6vzJs>V!j+35FpwpC6z8=;D9uqF|J-{~+n?45LIG{p9Vn2Zh+9aBtK! zPA;iYMUJE@-*$A7fBj3L2yc(;#F0w{8k7w<*i6R9iT zIsLEOf25%U@jkD6)`z^b#eX~~=l?nU@rUOw{_jo-Pt}U?!P(`Jhdb}E@Ap({;(w>` z|Gkc3kN;mhJ9z5w|1L_y{(t(EMr@hRz5G%Eh(L(=W-%IhIpZ;+0?75@=yC_2UOFziV6PkcOLLR_fX*(+q8iHSo8q=ytC!7XzY=%YmdCMS8ra8&tDDRjo-dn(}272 z%m$O2BkxxbeAiUvDF-UC{>d9CKjCXSxKarYc>GpX6(#OrI_Fxmnjs3+`84$94Gia` zWjnxT=cnUi4jP%~1&gr#rAOYO`lV{TgRe5(b1~%!ZCf?bUZ>sKcoU?)K$}|WMAe$z%Ts23(uxOzMw51^VrGu_Xn(3?n9dDR~AEZa%8&#bi+7Tr)s#f}f7i znWnbd+-G4n|1+<4SgOWlI?veW>!|LOd3lrv=}f0Ppq1+8iN2c-xt4FLyd-tVc%r7- zg;#Snl}k1IQ(lVR71cSQ<>7TXCAsL9(zTDUhnqj^zRNk6!3O}0f-GR+OFv{c=lB42 z1{nEib!|&O3CRD3*LYE?P%?~HC)wn4aO9DzL8ZR#T2QxS^fsvb9rtSd=1t{Gy^lc! zmx#)mE5W)d=rMp4>Yxg*qGv$eOnI`iqJw}|P4mO7!l;^R$N-(+HXGNu81etzS$`@m z{QtA(hleHp|HZ-Kf#d&oQ5^q|M(O4TJLC7idH(*J;^)6z{(UgWV@&>3aVztZ8CzjE@Y^Ml;YN_ttrJtna@j%vBXO1e@kx%@G>^dlm*l$=mJ%hhP@;j^K{ zG#purQ%!N3YSUX0vd}1O9$h#eAN_VS{}Kq$$C9!~D1UV9H4OuxPCP_y5vvKDR7Q0s zy5M>xQzNgK7ool2tJ1M&zRojX9sO&up%pgaN)lyyv|gpK5{6#Yqhj+I-^5md`p-0uPHAU`@&a%VerSvFOaLVl0hDK>rIyPgA*mwucoB*2U!IHO}DpvBL0HqQKu&)x-3>{q^V z2}W3~=gKt1S;w*ID|&=W=XDVkqw*dTmN zBCx$c2Nad>G7A1wy{Wh&Jbn)kl!I_1DnL10fmC2PKYI1CinJbNK=-#ideB9Dq#ko! z2AL!c=wrIVusB?+6iika$7nS3ul#V72A2btOy@xcy~DmyFb0}zM8|fxm_1bQ)gCpn zjFltF3t^a6xFe>)mmy3(KB0Bx;FZq0XRprR=h0DU3&dNP`~c>FN1y>rC=>)nbHKc5u{ z(;q3%0>Sk!BH%fQ*6{CF=fCU0&mUuS9S~#ye)wK=DE_OS#Xh08Po+k1lDG;a)BLa* zfeqia>s86`9$Wp$R_us-6>G7VPV3zJFd-cOj|;kx8|-qkx5d@oz9jdUK7^s>h;1zU-6(pQs9* zl$&U(Vu|uMX{yl&V#p;x){JQ~cYXe^KaQ8dA7^jY*KS(N>yI7~EANjaETEZ$5fscVE+sz+Z>iaN{uZsbav1`PDQ;OzJcT29h zZThAgfF;));*8qsmzJSD&R8>He8sc`R3fQYQFkaFpVA>z0eTT*%;b}26b&*TS=|p@)Fa1?{2}ZCG9vcMM_k_5Xoh*lI zcDk-9kJc_0wPrOUI@SzB1_`M*lUGB;IUn#)>BG|Ba{raw7*&Vm{cRa!YsHAVQZx|s zfb5Ea2r5`F)6N*vGes3KAdg>P6WKsVa{IM41is~@91*FGs>~2-eYYaulEjs(2JtI<`V z?FFR#g%!{`;xO5aC5bVw(mNtAa2F1t-yei7IR|ri4QQ_0p%-?u87Ps)u(~Ec7__jO zyA?BEIB;iD|4m_hBvV9zX9Zo8JT;G9$0NBa0n|=l#jk7 z7J$X^`Hs(bWMO-JK1UMou~`>1G0x3^91SYn`Xjh`k7QJQRz6GnXq`z57i-`93{5_B z+mgI6{FXUIfu#81@BXfycl#--td<*=AIr7W^W}4nVuH5 zfgF!|pKoR;rB$X%a{@r;;N*88T}|icyeW^zJ}TVzxNr7bw%jvWfgi05nYw|X#D*X4j)cIk07@4P{}ko=-`Vt_5@bgmoP=yTtis3Z5LgXJ_Z* zZ77`MU^bO_aGccoaMu-U{t(BZ=bZQsk6ie-H4^4N+2%@8xWlk(HjYu2W7t||N_%M0 zs<0!5?F4)cYirQDJ7ypaK`0dK&Es&EN{<7jyWm-F6h1UZ8d$nne}40CPF@=Of7UJ# z8HjP-nKJ`9{fX0`d|Ubx4O@r@ApKzsae5rqa9G1(jc*ETbaVPCawN7*OX%sAbi;{% z3Fo8Tv!+%KKBLAOl2AHI135RJX6w!x>k?Ki?D{~hcVpGTwZ&7gkLPwO1E?=>j>zVH zt9pY+q%qLnTH@PN)REJZ6(7$t1Bz1i3R4n0EGN*iv|YpMXJ2Hp9egOO$q)Qp*$tp3 zpi@^t5=WE(JN5niu`8yC96~okwqSq85v7ZQ9tSX~!6k;I;E!Dq9D~ahfNdn956~Sz z&EY&-gb%sp^#*^_CeZXI(iY5E{&`&+XL2pH>y;h=LVh-C-IKQ>b@k&mU$J*LIO;n8 zapyno{Kw_89Itn8{l|ButNVCvp{GLzM5D2j82z<1MHog4&|ReAS8oBEEkwE?;%|lH zL|EK777lL;1mCIt+KLn6oe=L3`!-*C7Esvc7^9369oBGI!(okY3Ttdnsb;5A0~T#p z>NM^QU^TrnXuuuK>0jfscUtTpeo4xzDlUYwG+ni_+Q##4h^x7F>O!(p3M@WvDT#|P zd6V38lwud@F^yUVGxHjg9%HEhlR*P|WZ=UME5^vIFFk8g`3Y{RBw)C)D)rA*;(xg^ zSEpkA-#*x>RI!bRB)tE~TDuKPg$o%1s*uk;pqe=07>INlELlkHjQmV(*byGG@We>W zu8Lj+f7ykk2=Wpx`OL$H02b{o+qP@LV!>8@BP^9QF|}c(cEd(>T7nh(^i8l%mSD1C znfN8b)0N26vY1qWHkCgx&rkiB6OJ2{v)`M{EZO+r7teVMo9BFCpYSO}54#z~IJ zMMzPnPb-v_G}`UG6UCqE#`)y!*9f^TJhYQ?x3?U}N8AZ1*Tzg|8iizM1UDCXSS|78 z!JY;A?ac(Yvb4To)asI5u|#;V%FuhM9X2gvI}mb;U9n?}TuYP`qdg8L=BoIUpY0U! zSpN=0OYOvY;1R(2%N2>Leexf>(7Z1Lr*?M?NjG>ohQu)>wZ(=ZN&99$SDp-jF?jOO=(-<4meJ%I94f!u5jTe{X z9&!SOWti$A7VN9$;o=>(RSzPY>Q=A)prWL;M9# zH@y|xn;gF%`;kl1<(Qte@N!Jg_r&ygIYx8%#d`G)zu3de;g|0TzgWf))NQQRJR1o! zsX#*pFTXnJZZ?ZO>wJKm4^V4yK0uXKIjp{2kligGAgk(`sfR&fe<{%-e?7&qOZlw< zGOk-72NRzqezJjAgyXjzzikCC$8XR~GrGkW|J03imi-;Xs_1VGxh54u;Q%ha;qxqldK>4q3RIv%}%>SWcrY z>I{}$hvvcqx3h%fSZ*(}R!_;tJ1?SpY_0bNdV#aX)28czG?A$g!G^5_U^%jU@zEq>VF@(x4 z{S4xSP1h6b0^ok9>Q?>*qRCd`0Po1dP+!6jReb(pnceK?UZ;8VIpK0Q^nPFR2pS>O z!#+yEyYd!<%vdxV0j`3k2?cME5?s1kF2g{JOpa&{FrR!-tKzMZ-JhDPo^Q1*VjzIrR<)qVGR z%wZCTNxmgaVk?JfT!mqa98>jfvBFS|QzPt94FEY+m``-${eFD%QoJZ5E;WD5-FqNW z?B9CYe~3x3NW2N=GcG%t3w!=8M))-K)F)w`1K*$~!mKY%{4`!HS(0HMX)F2cIBzFU z4-XTrbx6BXiWPdgO6Nuz7~>uBqiJ$Ovoi2FEUe*`-cqiDPLiUMvI5agVF^`h-TKm$ zbZ8bEzESa}q*tzatKnKuP7eKx%$tNP`oe`^62W1XD|}vxt}8Rlx3mZ%U#LxWp?C;G z0t90rNK1}Dq)E+VXahOnnudx{+;&Y(BeL)98B{_HViU9dM6f(IZKP9BU#Fo%;xv&o zO&o3Bfk5p1wwhyh7k_Sx5!t(Fy2oemlSkFEJcSQ*)>ASk-re&PCMV>IrQs8K74D7OB#Pk`13oX#RNh~%71qSuver|^C}Dh3aLD*=<&$!{Z>Rg- z-g2Do`|jwzkuVxo<#fWZvbnz0HZNxbi#|#X;AiUjj92-Lo_KdV5QTzIZX^?k81*>PUM5vG+S2{SGEOir-5Rjv z@ToKMskhrRJdmF&#@Elq0L#q7b4eODVRZaVdiKwV?h#Wc^^na~zuOTh{IAO(p*sg8 zA&zD}>~r3wmjy&$krBea@7|Ul9$+ZM6+XbRShswZ8ARC+&#gBITKSi)PD**{oY@LX zo&P|Nbm$&x{9~rE2~5M4CER8Mt1d_fODDurS@Cz~KA@Klcn3>I+>^DHjkWPx!(xl`i0YnpVG43M z_Q4y}gVvBm$ft4#IfZd4u3uTS<~w{QIfyh}E&L(0qF*KfYDh|6e1#JwvO}akz0?`f2IlIE+hQt&XI2F)>(+~$MD0sr`D7svW5GCe$rGxG7)To_nKPl+39G~L&l^m}h!j!$>y z-O)+qjR5LHuB}_CfkcbLZ%>xpxeKB?2a;wISSV6T%d?!m4h z4UPAv(ckYMHov{_@x5X29S4uUuUNZN_?LbYm6#^UD25b$_14q!VN7_o42i+7SQyL@ zd+Ww9{UP1Z`&}hj2y*EjDv3<%B7VjD_owHGFS2+Vha&#gk|hB3jEBby#8x7kx(tDN zr8cSwva}HZK*s+fm6y+RBBVF4vkMT`;=)@-AWTWkO0We!iqtx6ftN+r593o{p6#P@ z%T;ay$~)@OUf`KhcRseTy@Qo*$Ge@xaNSbEkk(zQf=>Lei)_#!C|5-UIie* zW&?JC#Qr)7GG9JuP_&-62%#F19&QrBW0VGqC7>7B%H&2`VMx6a#_>|ntSO7232Zlm za|Q^KXagE61o7iBCGn#85u1emOrTywZ9|o!>H7M5NKaYdO<}Y2itESl-3jeM@gcks*@`t_jvrBtEX61m@56~5<{ob!HuIly4&6eg{wV2 zOuD+b2)+^C#q&^@9khXcm4Wdv8pjiMC2*4GZ2$96ot~n)T#cm_d zXF$XR>Jmp-%Vr{uvwsB;TQOpfIa-|FD2?`pCtT~YHw@Du-QXi3Pl#ilv+W+^sgx8S zth2iEh|2}@7|8xt1}NSiPUFSVU!NWv?DcoF#8qiuny_+QJ+%SC2XPSv5Y)}Cy{;Om zg5CE6RAP90SBHDV23y?Qpaq5C2T#$n?!lF+2}6RMI)zuvHRqTG8*-G2URo zOyTppx$VXkQA|b`4L_0a%L}xYNv?4-) z(BLuv0oUY?8+y;$S**>Cu@w`hvM$RQ_!_8;dbG4BTKbjMY%5wk^__*^$m^MfW)rq| z@v?I8`bHcAI=S}PxpwW!v8&@kES9*~dQW(gw&koJ;OsV4aNRJV&|g6i{4$BZ8mqbf zi(0+mt*n$?yrn0b_L&D|8N3o!5v#4{Ga4R;@oGldccpE`drZ%W9zn;$DSjPtU=1Tb zJ9_^7*`p_Yoz8A4TmZKPk$6(2+Y=%mb5mlhx3c3VyTrr}S!ok`jq}i&B37!j z(LVxw@+fy+DczQR?#s zo$~}}ji{mgsEF>W5)H^-g*w700I{AsLEKc>o7wb3zX0>C;u4oBV9Y}dEHhw9;Mo` z*^*6yFhE36JH&Bw1-pUPFS7Q~@)=Mav!Qu|tHTNGp6;rbPUrrD6}KDEV>CWJ`S9$# z=3_GfK(|)z(aYVw$w}M)n&DH~kUNpcz&m(+HRs`dk$FQnFls3T7`a-J1Nmpt7h(nh z&bn73?ybY?Y#DrL_SY=BpW@PUZ%IYWgs&x1GXjeeB-FC``Y@+dP@9hd>N72iua~CQZg83#9|QK$V|FVe$*(8BtE(1tRk%ks*-9h!$->P_cF+a zU;dh+x9>DwELKsF-Ha%NUNBh!Jk!z4zw*OT8e9%oGMxkIoT8il2mm&q$wqWChl|-m zg;(laXxC!tFF{m`nTv4$E#PrFnCM1Wh!uF{Yx1*K=kK-HowxS1! z4|s{I>wv$W{agA|E9MXC7j6qwB&CAl{I<^ZH3=2~8ixDKykjm4>L?4X4^oYiKkyg= zW)1x-2Cc|v4{BB0c4IzE`6|nu9?NBliW7=prWTJc3sjP#={$~8Uw_~NKLQ+4t?#`O zcvpIG1RU|!0zv9Vnq^)ymRZf@T!gAy&)5|~QCf_0dJfsd4`qjI`!iQd0i!;hzxs;E zB3*Z+8s=JV&XE>If5U@L6V9Xc3C?uEvC{jwU-*Ume8=xzny8kH-61_9MNLWtbwyZk*InVxs+P|vo?^O9 z9hrn)r)4P67x*mH{ib{)@GQ=QrO*!ZXLph}_<;Iu)dfFyC(*w5F3#{juf7II?{NQK z#(oOF(l1*B1fNzXFz}{ybR#Zk(Nj*1Wk^*FO$9Qj4MZFMA=axLw^PxDOh6yS(ZF9U zvzyvJ1eo9t9ZGAu6J61p0se(Ej3GnrcD715l0zDm`IkV17JhPxUU7h7Oo4A1N3wII zA=CJgwsCjh1RK_rThXtg)n5?Q!B#xkHK)5f8RU-}W{mp~k1exZ>AA9zS>huo{T7l*Nl+YQihEoQSnd61_BS zb?!3455{NCb6GBgiFZ0e^TWG66{0L90sEI6Tl7L71Tg`s&=9Fq~d2A_)t==cef? zYU^GsTTJ6EHWvL6k9Y)!VfK~XTo^sm##bQ=_Ep1ZUenXhMG%=(GhqW6V2==X$=LO5 zEE-sOovB75wL_0yXQJoVAIHn!kFz&+Zd`I&uRoIK*&j*B^%z1FoabKn-0n?}^U}`BjP)65)F$PYwSL)A|e^rUEmToyv{x6`wa2-SF5- zT_0+7SpXKt=Q}>%k%jH?`5Z~SHw=e_<&HjY!r~B&Log1(Y!zf1Aed8(zUZ)w_39m# zv4@w#GT#%H+0Ik;ZqaQ==r!=ebCV#qxrLY;tXjg{j!V|)^#N~P$XfGg0&6#-PgC{= zL2L7bsjw7ne#PkVMX~^ESD`<*67sdvYQFVYwfOdgd%tmt8sO`rYgAYZ-G8k=zYB3& zEH1=te?bIFgrlvx?lQEduF)(3#ZK6y_9>GrMOL5Jw{rj!ZFn@8KK;L}LwE6+NY^Q@ z1ZJ8Q5Xq4iv9nL&k|gO`FxOAGE`peZCx`CY+4*=I>ghO`O(psqC#@MdWU+s}0pn1L z)n9_pH;oD0X(UWTzs;4T+*8}ejmmNiTRTo^4=q|1cEqrqfUjX~4O(}{Xrv*CJmc>? z4reL?vC?$#ggFWynj;M?-E2j_`8OvotzunO7KjYQIPc6Ejhwc{XKpsrHymsq4rOHpO5#Brk+F9!t~J0@2U~W!S~PR9GJ9sbzYG4zbqRZ`vJSt@SUD zHjJH)$0EoLCvXD2boPZql!qhIr3p7R(Q`guqpOx8MtZiZ~Z{){8cXgY!( z2QaC@Wjwk%$uzf1EG(d3xHHY(T5kBPhZp?N)&?eB96xAwW(sgTK{R*_} zl}7+Ve#dH^!nY#5_VZYw;$_g_9__sLo!7qe+Lz06JoCNv+TWGV^W(XNz7rWajmA!5 z^pe*UiWs9ocT9(0RootFY(=>^5td7ig^>x;sFhQpwiTxgamo;f*thw z59D>`Pva{;v42JTLwxyH5#9ueBzMjgLA`7ai<4*g@MRNG5Do% z(@dBZe)1JJKo&^G40nrcT|eRx0U%S5i}D^^GfcuEY>aTC z0hmBz!W(|3q`i?t+W6!&!|wYzKXtdq*@Z5hn$5z4?0jbnpTd3M*O8j;0IrwN4g z%@0)GW8rLJE*|l=p4g-XVBKH|^^;YoKRP9r$%13OEngH<_bATEw^S0CY-9hZKUazW z<;vVg3hV#&!Ol+#+jywX=|8ykZX;9ULbOwfl9He^m_utKtPV3C}0iepKOVY&a|KKTQE33hK|2yR-l=+}~ZEt47r|t#sBOVkmwWaoD1hO>0-JkdlbLt zzNeVn<1)(qOPBG?dz|{d$JlHDe+&Xq^GTa-#aw-0wGr5)v>JmJ(#h7aiSdEfJld^J z-|1=+22+Z}V0G|b6~`-iFH1HU<2&fS_A(uCDr1yTd<7A-2+tL!zpRVu&ZU8$bB!QS zgS;m?AG8oL=6L*4jm2}BUBqD+Ut@>)98judS1btGB*f&;VTzfpd=De{6tWD@R})ej z(lkbwF=jOZl$U0sNf=K?3l>Bp^%IGCBW=~`@G^e*=J3T+9oYNcALp-8O-NP5Psj5h zV&dPgNh3>t^mV|^_Zn+g=4a3*Uw}bnZH0Z^0*MparMJRqKDo#h9u-7{R`Q;8h~8M}|X^6f>`GS3YvxJkQEg1phoqRv$EBm67RUkQwcu-8#4 z>b?|>#(*V8{EsBGS{~Qw-bP|VQ+>Kz)~330*uQ_S*1CffQ?^odD@{2cVb{^etO(#T zFx1s_c>03)b!&mIVCKL1H@&^lg_;eEb3Ap9r`va{ha;Xi>|$6Pc5&FnVV7;j zJwjf}w6^4o4C@O_*SBrcFnY*c<12g0f;1s!b6m zWRaE1O^)?TZ?t$KZ$~5?k=WjH9Fe$3`Ieit^jv|ZrI@dzW{wl735umo3lJE`Q1nsy zY<{MPqi4LzXK#FZ;zA?cAw9kZ&Yzo|`hN_5bZIpw&Zm~Wb42C{)nJ?64lxhz&|X793Cxhz)IDeOFp zmFKP6&DOh*V!hhj=sfd7xHaavuU_){@ZYQ7m#KQB%&qi==f|RFaw3E~3jZF={ct&g z!#-P0vlOEW$IEmeOwm@W;p>*-@U`ta z9KNoW?+{;eN97J~$`VIU=Wz;RI{be|*J9+QLB{vFH+SPKv~;9?Lu~(qA)<{VWkvzH zoU|qsH-s=UU}3R<86`pC0z3v5fj=n5(<*|^+b^8sJrIOiC3oY+f#~<%Uo0_-lbu@d z?2T;KG*2nT{bxE9vKfhH^vZ1bpD8AU`Oow})4tYXDi2F}&ZwG!Mq?mO@x~H#yj+Is zm9s?&n%B2-+{U9Q+udsJ=!U2!zpsgEqR)MNdU9L*mn}CWww27sok{*nt&=s;&Vl*C zCzu8832#Z-lRQ8hTLuqHZZ)zu>7D~eHsz{%3UHjk^_#3Rzi`E8g=vXgQj!EY4;|;B zv%Tdwd-L6KGGAfw-joSMpRDLwktTbOm1Da=j*{z^Q6C9pPx|8JL=a4y z3I9S(014tVe$GB;P9goQ6)vyJ7UU!bxsQ!pV3k?@eBhvF3Zz7f}h zELo7OiwbMXl_GoCws|hPY~J%*wlsVXp>hMCS_=r)EK)H(&r5%q_~hOq)NAO41RUQ? z{Z7Gl$af@D-m1jVFXAg-`Se_@GB}C*Ax1*P&`hTx%aBxWGo5!Q zRZjOT)ButDqRDY-?CKWbR4I1wa;lW?NtI$%{kjwpY#T^Sfc1?qL~V_u663tHxGr7C zIOSrH`Rj!aZ)f{>uvUql(C~uCJuGt%%iO~ z$c?KmO$k@wNGo!u^nd)JQL3C5#oL^I^nGShaFB&;VlD;;*&8;olY@Da4?^jk-oDIR za$n%n9f-7Obq)+nE<%brefp4ENuwQNlYofY-GyPCw_oSI;G|q9yuNK?~kTIA>{q& zAuJon#()jD*=nGt0f-}+rh?bfCzST)N^qIPtL4c{yPSEiMI#{^-t3FmDgrvxCmrqO z3S=@#-zm~AZ<{+CBzV*r55wz){sl!IPJ+vMCbAL0WtrT_r^mzvDX_QQjoZqr2O~#- z(1Yw3SQM?-4!kGj)|v<|(;6=sVH*MJJQV#bNGY+ZFkMaO{`89=!UE=IUbrT?c{gQi z^Hs507MC9n!Q}So2yN>CU5=DpV(+lZ(0i$&bS*80y#70Oe(u96A56>*UMD}>nY*w) zw{_h={vMA2&R?!bRBhYg1^cR5xV^)+>Oo{v-70${53S)RV*`L;sciMJ>|wxPKafK) z0q11=)_b2Ivopi1j*ev8czYJG#Ve7cW^3BuC7*sLNl2cN5-7GcRnoZH>iP>4ev`jg z@r42xuJ8gCC;97^Wqe0M{49;ZX~p60!mLceO`T2IN!uOZ<)m#VZEsdpsKjlPst8jN z^1|Xlrlh{aACvoWkmh0H1)ycL7wNyGBE^aOdjELhFTM|05>WXnX))Xv;P)FfI~UEY zpYoNO_slX|rz*b_*#UMH-R*wSr`^Yi>xB-vG-Q2%#+V9R#37)McE!yW5OAB8cc3P> zF{)PKpv}>A9zog$MYBRfeirVbUZb!KQ`_Yo(rQ3OYm6{wsW*ucS`-H082aFfQ~Hx$ zM5h9DB(`B1)42V;Q5SzbIetGrXD(yUou}2ZI9bxklG{(lpfH-lFV?Gf_{APx4!?X) z_{CDquKQ(L^K5z?d6UfSomAr1u5-2y_usp-y``gl=Ob+HVBce~#-1JPUC_pDfXUYA zXy`z1g$grMU)#b4QOtiH>7Y5u-WHJD#AnGSA9|NccsVZeZlKnVAiDz=PmI-( z`R`13PC)KR{=-J?dPYO(d1zwq!q292EzCIggY8G}?ul@-R=VMmFJmcbBF5aD&ER9J zpQx2;)-cCaWwOU(-jJht^fmk8xk?39%(i6EwTPSMO>T^;Tb+0FtXq{uK1zKUNBWHV zU*R4{ER=aphCw{KIv7459*&S&jvm%lIAq~+&JKrpx-FA%GrNxXzKcv*SZ*&)drw)j zIxnI-)Bk>cyBV}PE!i}aR_$uHnN16ec}6WPR#~-p1DniRSnh^=WSD6SixvA|;Mk8v z5%}CbJT#;Ay!94HX};7x&HTG`i;5$E$O@-#lMEpx2p?Fw|UnbOfK zXYorG_oW=6EHtgywOjmIJ_!s9d)Z2;OKF_wW=Od3htoP_uGG~@eU`vSK%u-Ad^L-HO2!O?ZmhTjwl0Jx|q_K>4No#WK6eBNVHr z%S*UL(_qQMeNLyZ15pENCOY?~r5u9;i8H%vnGrGG09+!NeG;!O=g?=A!p*)aFyz}{ zLg6OERv;w1`ELG_x0kPLv@Rvh9G{-xZe5}50DPQdGaZ|`z2!JIbDOT1;u?3=rl0cW z;?=K2)^M8;MVtqhm{gFGdBLqXef3tDJ@#EVE{91RCi#{yiLJn@aTSIwa!l2?ww`in zPCGoyrXAQz*Ozl!QGDYcJlO)M5=d4yE637ls_3z%hOdlH!{r`?}#5wlN*|q z!E=mKfI6+ETm_vZMI~hgZgA%gb!x3!Uz(C9-y2wF*H~mlFVZAimjV@}S_&9930d@I zpUX%qN&%IuFp?O$D9?Pr@{1tyg&AITi*|Sz5+E2ax%NkL1V9*y8Mc9(aJ_&G+wTR! zHM;GZnkG`)+cT(y801tgz@Yw#V0moXNaydqPDA2f8pI{Qdb036KUc7Ls$j|V**sC` zDOy91PZM0!hCV=J!<`wp*ckIsgift6-3N()6+iJPEpQ)-o#m*yAzuBCLt%0nVq%-v z)HIP!h27(K9p1h!@YqheVm7vurm-5^W@D^0X@eCT&5CW?w#~-2)7U)u?Y+mi_l|SN zIdA44FyBm!&+~n>4-Gl4tAr17L`Vl<@ewB`da?$=xniW>dMa_m#_0Drbm6FF4)jZ3 zxEiq~Uzi_B!yd8Itv++wkKu&qo^a_ciVX7DgOZuc28bWl_ zEFF?(4*N*dc4q>2?;Auv9Sx~K0m_MRtGiXIc$stRd6|2FnDJL@K+FL&kV=3& z??oRh@(eeXHygR)xMi4M*AlOgx2mfxi~K4m;roC=EXXL_wZR&Esg(4jYpvprnyqTG zZn30?RCtGF-$=IUiP)*n?%(agR@l=zZsDWO`=CSL-NIu&t79k4^^=lt|5P(!!hgkL zl&`&ivsC^!Nw7}xdE#holbBpQn}a5gzTn(TGMC!ze}iYm%-QldK(e~~3o55J)HCbh zF{fmpD}o;KKkh7h7Oa53&##Ipk5u)C1X*$MCLByZ#-9oh4kl{{zoC3v&q(UekRAds z&hsPQ*$+%YFZ-TC@09WOD2v$x)y`x;$zJ;nc(Z~=fHipSd@rn!D^s^PRUW(AT z1e1?X4!|!H3*M=fL1l8pTJEBzel;6RYTqk7`nRW&#VpX$?LL|5dbI?swi~No<1!}H zp2Zo3Sm2a|>6~w*d8Bku_cPu$vNPOv6tV0GYFShn^Rlf$C z!y>QMWb@n>7L=)3n;B(pn|+pD()H)V`lF$~Ara9vm8RK|LrKNgs#gJ4%Y%$u(w4`T z5`a;?f@sgYr`P31q@~A@97u<{braPR#P5TKLzZ%xj%G&LJa4WF3;pnqUr?Fpdf2(U zHxvgPkd>2n9a>FZ%`PtQR;%l~x{f-q^s~Hh)=G_9ApGW_5<(e7E<48aXu@wV9}Zl2 z5^mF+@p!lp3oR`UC2~lsr5CLg;`5QIs=Nx9n=-<%<$GI&Q(KqKCA7*oEaoZ?pWS0h za7X2IYMd#)xvO4}>C`O#`OernUPmQsvFV(%@ZrKze&>IFIIR<{(Gt&Cu&^M{at^&T zH;**1(1eSj8#|Yp0b0Q37cWOw&M+-U{U+(0We(-wERXC>m7AEt%wgw3f}}7gpW>Wu z>XINGj+1*qc9JvR!i|C6nIG&SWHJ{s)?%gS0~g8mY6N#6OK74Ue0-rp*Jx_^A9|(z zYNDooMti`K{nGZ6?OqcwSc9p2ntXOon`jEWdE-9xgcoJR%o9a^HA=oVDMXv$mD^$c z-OFi(Bz%&f4<{R4ec(!cUc=Uj!j}KXQ<7TSUtmg`ybdxk8qh&I`Ef!jux=@lyS8Q+ zI|3AE$cK>r9TaJ25yI~z4lGI^lf<(;yQNQh%r&}`KH0_o`HHyDAN7rzc%oLqk{)OT z#G5wmlL6vgW*CW|P*c)^D`&79HbV{gQcy`=JE2vaQG~@wAxa1?*5ULh`;uDdL&JIQ z@%No5SNWPTsr9TVqGfOv{b4zqX0fZs{gA7(n-p5sLOW5mmTMSIXIPG=Ji^0#k~6Cz z9OQoP7p0&mYA}jck|9#H4yPNPR9+zX6;R+>_k#lKyxUA8)d;CPjUj8m-LxzL^Is_ z;IG_w2i!oKMSxX3z~lR3s(5*qGj=gC)Y4yy}jzO>3A_qmO$M=!pE*-A|kI_ zv^Zr(TZy)mybM;av0qB`QI5>&o_X+Uj7p@T<#h#p{c9w(67sN&KlLw2nTkZDMKu1z zOYD|u0ALhXLOgz{Ac_O^hR!8m%e+W{;)NtzwaiQNaG?HPKv;t6dR{uXgN3O>(Q{6N z59W2P6EK-sUXyPoM~8k_wC>*|Sb_Lw9Gwt@`C>ac9(lN3sNYkz`;-_r(uOy@zWdYj zbrPPzZr6X6BJy;l%#t&HA0md^ID@{Qm|S^ez|o7Zd*k63QTChJpH%vJ3dkCk9nmIv z{MvF_+`I!~Rv>sBtxV)xJCQ%&?EJV|6+U|0yU$nynjuWfC1xl!u+4Q)7lwgGB&U*R zYh_Lk{R7J|kUjqcmlQSAuA7)U5GNdVb3`aVOqBMak5`e(>j|YV`6F=#%;w$D(M!un zLc%1^fl6>Wkx+-n}iFJ$)3@YfsIrfM+Xc$UMxs=e982~O4dr*ov*dZM;} zD-lsn5^mIQV|Fmxl7pjppt@2XGMl~J!Gc@QAc!em0E-#f9wd?OnzXGC9(w9;H319i!&l zBkmnCu!@nmgY#4lsE(@|p7;yYMKPo$U*ai^((W{&GdLE#zCDFrMSYPZ5GI&6p8+m8 zx3F}Z&#;x)hrnZWra_Tf{DyqPK;^+8J_}RxsXY;+k0Q&4U6zIC{q3O5SA~OejFyCr zmgZRHzsI|^nSlU5;N&Yxt-x)$LiwMtq;`SpSI=8O)i$T3>A>Y;suH^OeZ>c~bUbi| z#}}Y@n0gjKatP?BTX+zolIsK%!5E)!WM+K6n%uS`LVLt^j~DoK5^DQPJS~AdiqSeZ zg^WBL0)o|oJvJIY0?YKlz#V$Q@t?90gpmo=CQS`LCf1hLd1K_Z-PqV+`T2(W0Sn-W zf6+*b<4hSHUxou=8TN+$ztLsDa+L4_)_$6{`8@C;DC9CFvbvPjS^7#P=*_NK*iQ>jVi}r8eocmeGm478F zBSg_Z$8YxHX=uzG;zn?5>;9%)_K`dfkAeK&`hEBm=1?UL&M_xvzHu?|?_2)z`sfR5 z+$r2?8y?iZfhTCy1fOoQa3lJPr3^HUq(G!*zw`E8aiZ8AGd-_g@kAdjb!0{MkC#H|l1`4*g1fGH`4 zfif!w2)ewb`KNuPu++zMI~zCRZiq6ojID!i52s)CEge-|srn}ryvd~;uTLC+&r?Eciphk4}t98+IBM5lthMn)UFmE5O z6I+>b5oQfH7sLnaB+gmt;sN67R9;t373_Y%O10FmuKU~r8|zFm8@!5)*03Q+JC5+; zfDa$766_e*PcljQ^A@KR$%2Liy(ib7@SEGfeLLpJj0Y&m*#(FRqAJ+?=h@%J!JgG8 zfyL4XW8_usP6T$NA0^>|w0H{uq-KaSG^!F6-Evj4{fl)Xg#E)hYee#$?f(z!#PdU% zm-ZA!A$z|N7ZcCM5Uzy?ko95U#QalGsQ*I?=CTUt^b5g&BxX^Nn+Usa$`D-ZfhCI@3V%HRfV9`$vIL>Fv2yW72W%_yOZSJ$} z8G-%dW}y%s-s6>+38=oDNX?m}sc7eOA)+S^3FA_0Q&}omVs!rsajUVuKDR|uEuyKo z)ie6$j0*2*l^ln!$$3$MCQo1QYjl6q`naX7Ivldqd`EN5`&MHw7`XO2bfQaj_3VUf74MS z2v#e}tPe>Cs=CgT*>$EM1}KSCN^OD*D1>55eRcm7GGmStHe-%=$lf%&7AAXz5n2d% z7=)4wf@+!ifECP$B#zaKocphrgzdIz9;9wZXwO@7%N1mE3<5EC5`x9t&Y6?eJPWXy-t zv_`9_p_i~Wpco*whRzvp))M~XKZ7pA<8MFwr(!(mfBdH-+W+N04b@zA#@!+?SDHUV zXmXwaf`x40*|-ALq+r+G1Ha~}5DeV|ph@kr-;gT)D`ew@7;lWh4X_qqMwK+7*uCyF;l z>8wo+7NGR%5?JluVz2@U{DlBmMEVR2Fzb$kK$uqJrLXx)fx^FlrdH!$`5*lA%Yg4K z5i^`g0S_hP2a11G`iYce-A!3-C=tpDLldJxy95WT+Y6=x-vSuN*J&7KtQa}5D!;j0 zt$zN+BmDKoU92Ae%^<4?w8UOhEs&IN=OB;LYAyI@UcdgigTTd1G!o8a-KMnc_K~wd zLp}q^hR^chqgy08kqWj_C{M$cmAw*wFL;sT-0~wv*IRZ~+kP^M^Z5~}03cWqxo*Q|LP9QsOFkZHGGWs2@qQ4Hf+ijd%`7#+q$0f@j zWUT(!C7>LY$*2t=M+3LLONaO|L0|TqBV;ZWe7+<(m&Jg5b30<`eSq6go&h5ZnbJPU z5MkGZl3L@z^Wp8geY(gmiVOJf6Qbb9;bIA$)zEQmN@DO%;?ZBTUh2x1l?1zPKJt+7 z_ZO_*J_x}kY;p&=M`={r@(Y2-AXiUq|AgjU(bC|#NyWiIBAg<nU2st)(U{+Ep>l&( z&91l>h5QjB#mqtxx4QnRDy^~B=ZdEM7WK#p`pAp3;gL5NH$xuYpk+as*CVY?zXoGg zUMQLPBP%RLYcrTxhqgPL@?spEUP5DZ9`AY2#H`{DUi2J@OqRAAu^?(uwHG2c#Znt+ zMD`Gil7VoQK%AX$n5A*HE<^=Mml&ME7InO)5jO29Jp zc>lwA>IiNCYKOkyKQmgBpuHvZx+!z6=m`qXw-FdBOZ~Q9E?9}wwqPNW2g0dN_av0w zWm1uaEqrE$UA=}M<5cQPdG(lH8bcneC%rNZr*-|m?pE7A(Tk{RAMq>H{_^@sOk-HG zqBdrHI}sOoL8X4-e2wC!IX8E`v7uc}p?Koj3AIw#e)=-6-Qi@Yg%7qRGF~l4!fHiD zn@)Onhmjfe>{EMMt8EHKC+j&;byAbH@rt9)!6Jg&b z18!S|$})ET+9x*FTI>_u?>9AeG&O$ht0>?3{&Tp4$jjq2oPjWb`i&(yU%=6;t?t4* zI2c}0_GP1c3qA6EMVjuyyXxqZJn0KJmW6-Yw_lSt<9;|lh{-(YKM$M`IO=l-45M9J zi$zn4&?Llf`QH#LwIt>(?pdNp={B@e{Hw)o>+`+DJUw@1+e3SkJ0m(FIhiulAlVy=>X-3jE(47) z2gH%q0*HmQwuOv5k5cOMDq&UgmQ_`c{1)4zxD$ou^}{bKud5Zx-J`L;7)l<{Y4otw_L4RH1$frkxC>+>HKcP9<@Jw~RUIlC_@!jj$yRru|NTDed@XvCFG0X(yYp<_ zybwc4djUVdJyaV?SLtd4^GAZOyw}}4sLgGjB2|jAN5#tKj2QMxnFq^grJ-yjjL^YC zk+6X;b`u3jGZfigp_8`c35mb=!n zw!cjk3ZAsfv#AUVQ<L3rZxmcu)9u?d(a(?V@tbdkFy~wEw2qUW zZeiTF_oE*=Pa2$z)_$~a<^z(`T{5Zezl;sJ;>70c|%et2&PLS`7PN` zQ(x;UGzjX-Y$MZ7R{S~HoyaQhtY}lE2`E2DySjPk8!d@hgm((U7}uFQo2$e6@~4M zCt1s?Qmp86Q3_4+DEHc5K(WF3X}EAZc62mfz_iF~5T1+J!8^N9#cP6KEy5s>{pe`G zxRh>?u+;Y4UK)wu4@(r%kdcRvaeC-^;c=%p-fM~5v@QW0xMdCZGN(zdmXR~t>JqSz z>E0Trk=h3owB=!7twZf_Da*ybA3brJ`=LS!)P=2qz!lXq#{p@NXb+Dp6f6qOC7?O)wVQ{4K(fg@nh`2f95m1{hBj0OxJrki}8gyeu+7+AU@?nst);JS33+n)E(2=^S*CVxojA$#XYH0I=EVa8!b^tve(0Y(zJPo@ zO|KhoYFF8?$;eD{;x2hZEyEydgKNU&~fBb#3tE8gTsE9A?s`k!+vY zK62S+6Z==7z@UF>*M8hqq9U0E#0B2vXDG9f_nlwLrPG5?`Do{=5p^F*I2UD|jdAP61R_9*yz4 z_)l)HCa$zCKpno!cNt6E(7Ex;nQ%ck8ru$W_eP?ZxS26^UE*SOUZ~93fM9bA2Ad|k z@eEgMh*T(Czqg#9<-q3-WF)JqeDpZvL`x>h#{t#P_Fqs@guCSS_DF^@BBFZ2b-o5( zQIc2_9(?;}f|T=k1>RJx^x?^Kkphl#d_a3xMaT+9dYiedNOU$!f}YbY2X|lEsS9xg zTNcp)Nu5EFzj29 z+!?cjFthVz@qhB@S2%hhUmo-rMln8~9<2zIdu@d@!_dujZZrWy~$!Q5GsyIgEiIv1m z?}GG>zJD2*bWTXJnStcU?wQN<6a}w@Zf z_%gzrNbZ)Kk1~X4`y3E4#kwQQD?@wZ;f-59>1y+E1s+skh*8wElDNv0%mYkFvWr0L zPyI1O|AHbETI`9X+AC-OA}dHgs8>fp26(B-oria`^6J4BhBXAY4fejDggym!u!O8V zg2gTwgzDX*7K8OLnIO|^54Uxov@bYHyz(y3v6?K_vRa580b36Nta`){$Yd99Z%5e6 ze1dyD%QRgRnK`ce*qm?VkOwTun>z2A6l3o~Fi+mIP$+zu2|fG7bms@q!1_pxk=3&< zwtIH;%j8-L0_3Z(Dii|+aZ1{Vnvk++gEJ9yLhN8Y)&*AeNXRIsW1whhQmJFPO8@EB z?v!`VA=*f?h!Q z3{vB>oPftI9Z`#O+t&l1@9tb*2Z)SO*JdxTRFL11UqYqhT)CO>viCh)^cG#*;x++8*%!PW%Vp8)18(Cc$1|n){&M0{xZqh z-H|SdSSkgiHlj2UVu~7&2KiF-1j&v^P(ZAz3FnDK?W6N*j9k`uz`@4L#eV3J z1d(Z^2}XvmKGiR#X>wwh8)>Fh@-Tjj9Vkex_4iaL&vGisiGs(NVoX(_EAS(D{+K-AV) z9ZaZ8;Mxf!)p7W4Ve+zPN}6@&&lrZWQ?5TP#GyaAn2k8&4b2R+?Wkj>pdzlMPmv*1 zkL{ek)+Hs3-0_)=8VL&tFlx5(5joLF_s!+#?ja_7u;@G0s~6Wljd_a7t{)@0sl7~m z0bX!Kv&7bYP0~@7@^GvTcEs%6?D^((8QSMH_{8;>5J~5NfVM7}EO7Xp!0`H+62_=S zX7z=PZ9-1S;{Cw;)q&HD(SKLcMO8fVSihr7erAp3E*qW^qax5eW51~~`cRfH7cr47 z_z$?EN3HY?!b>J3}myO1#QKGeXl`+wBoTVUGN=gnh&4a!KCUTNo?8RAlTE`CM`;gP3*XivN=>UCkhjyfkiJ4j^8smhX~Ey6^m$ z8G*@w3Wv?bC-^fCi(wrl{dU#QS}{Zg4egw(in220oYYkk^$e9*c^OVdt^D~qyBfJq zEz@?Yj|#I$Nc6pM2c`@^a}xFg+iYzZ)tJ`OV&YUS3Uds@=lvvgKau8{RazrJSYOFC zp1IjyYTLgNHQwUe_g=5?J*)f2hiW#m+RYI*&L=e#qElaC z8b_RKJ3_m`ohgTU4oC$VK9~(2@=5Z%7Y`jKXhlxe(!QqWu1q!^=sX}hDlk?){Q|@ z(&^Z-!%6@}vdlsic2$8C?e=5M3(S*!YpuLg);$v_fRvpX=j@h=th}tuT=$FrCG(Sr zg~QaJC4QEUzv;g{hW5kv-{b%8|M2}|{eNZqX8+mu&-b4_d%pi1`t3j4fByIz@B1yR zrP5Yu#uCr_W)aLT{m^gh*Y*2X+WhkQA6&8|8{M)+*xMXfBOCR zPk;CU&j0!T;~&299{09_mi8Avf3^%h`biqZ(F^bT$pf}r=KuM4^nZ=^pFEiR=`0DB z8U694xGx^RFW!Ph?80C8QRbb;iT8Rng`fS*Paj;y3;%_8nPtoL#dv%XWS6VyXcjNV zl`B{N!-HUkQ^`*gb~ECiuTnpOpE8)uY^3pm1<{zLDgBtn!!W*p|HG0Cf3%D)9$fji zH*qpgUpyFkS8D0Q%7TWT{1^685PJCk{OIkE_W!TZDgBimUcyKKz7pJq~`Bxy8 z`HN-901Ew40(<=beE<9B4*&0>wVeOE_h&CpN7c2E|MyRxmGJ)$a2Fi@-$g5* zzjw(}Z|eJzH}{ueeCyA>bTym#X?ng2!`uJk!Goj71C;3}UKT^giy-n=X%Jl~%5cgD z+VgJXm3I?_p%?iu3iJjn?5&m_^LUrjEKd9fKr{|QI0Qe@{^})wtXIj*_Z}ft@xL&* zl>VMKz4f3EAVQdrc@MAID$E}0!+ke;@Zc>D5Jd3df>5Rh|1Z1ry?Jnc?k7m85UZwM ze6D|)dMuiIm+=j*6o|}uaIu1M;KRj(8H-@6K;Tx;1vU&z^Ij1}dg1;4yEo!I(?5XV zd4K%zU{jR5)7J9-e}VhH1Zp$NmYeZ{?eBko|MAo3#rOZ@@%N9vckh1}?f2iu|L233 zUzT|J@sS`Of-eLAJ)>*=;Qt)MrT+c*Az*}a;BLG@`Ob{+qk%WfyWzW(&*B}9IQq!K zmCt*=2Nos?=DzoDFH2U@%zOTn{uwMzSLf%!7jG~ecw#IcmW5A>mU)0r--m}UXCRd1 z{m+Vp!Fd2U2KXe}!05pzpN~!bGn@f8gP3i`fQ$4}e5*OL%C`+;gmb_H@a)525o8=| zWtTzfJp#;wAUS+@ihU9Pq)UGW=;r7gkX7ijRKO1TQ(yv94n6+2AmfM-a0pBe>x4;Y z@nW^z5XR0$CuqXW@^Q zi(4kZb)S2Kzoo;!rGwH~d{Xm!R{zh!?bD7G-;7|#@kr@t#XaG@LN@h7ljEiC`Pr8D zq=TFPTZkaAp9IJ>1423Y{|&ssF9Z8W6)zSr5G^$|SSs(x*9r)6F-kATw0t6kK{N|j z^Oh}+_##?5rf`5WpvZ5;L?i7siQP|>l#0K>s~_dU+bD>~N=C|wv-Ziq0b|6OUxG$; z6fWA%htpd=ki1!^esUem)b}^Q2&h*uBWUuai=Afizt|$ow^4h)ngKq%@u!z@e6@AJ ztBKqJ)WT)B@ZmYliZ5V&fYxl6kN?6Ohz|!l+1|`gvLT}BBo0GA+5SB%Pw4JjD}3zl zoe_ZB?q6wu9`7L#oKvwHbCOeD|FCxXT!YqnML7r6uzg@sG8WDJ;@RtbingOpY`ujw z%dxk%_O5%=#~w;^Y_^x2D=UjGsd%z%HUptOLp~nZGo!mkA5Qpp@0wWdVz<$Zuc9OX zJ!*zX&d-m&YZ^4tx2$oza`=Jx$G~WScCNNB_-Xgw2#)pL8{pYE+n{Sadr+DTv?GvK zpQRCK@w0=buZ$sFCIyDW+XLKUyau=*0tQJI2tx#SumD;vfV?Mg6N>EsA+E0k2|Q%i z@hUM9&}g(GnCVX=F@_|{x#adj3U9n0h-q;e05ZMx9*I9?>;hO5B~ugslyfcLm1n3x zvpCr%Gc^MCuC-IHZM(JTf6II*Hwd7q*U~+pOaHt7xMcr%^6cqTXaCM%UoK>hJc701yQ!?@+HVysxcbvPlyAR&0iw?VaUe8M;$H`NQ2z*0q#18e z@!dW`wLc$8iVJ-C3zp3;-)KO#1#?wu&4KWo&nR(~m{Ge=a=Ny|SjO|pDPXIdM9XRX zJ^xHQ5&nm;u=zf2nKqlz_Hy~$^UOC=*^0biCbJU5aSTsYn1S0f1IXklo^6VI%sk3qNcG!OJ+!-uc;0 zoLseSNb8n=D~vki=p>gg6ga$!mrXBh+O+M~t+#A{|4H@g7hs^SWe4dI-2bC_Fay!0 z#6AydG>!xDMcX6!PS|H^mV>Y4I0i(0+jcaZw_mEh#erCIk?K$y(#g~w%+MPSXUTk+ z`2Vx=SN;&B3b@8B{IQJ+P}d{Tvp6-5CmzBOFU5~GbX_XBnujA|{$o9fuUQAq(%&-F zXjZEbs?{Nz&yyctG=o*CdV#q55#WL(s}6SQvoO2-jStp#L<|I8KTVI5cxePf=8_J;~7>~j~9*L_oF-lc>>jE7dL(@x{%{e$A|LO4=cDJ zVbO)}{jV$kcF+4?*SH-tayNhmCP~-?9#s(_f~=p*0V?|ih~W(I1D;h~FR?@+*EfA# z{h*A=YX68wm=>|+Fvs7=anj1{b>2ssB8jtj7KbmqvxDQ(Z^Fry52O87ylBPsq2KQ- zzl7rXPTCpMj=M{PuK9}> zu*JHK*Q_m4XXc$WVWvkO>G5p`M z;HLd?%abqTFuu4wT_PTVA5u8gpm32JyKKC$<~zCsQel~ zFNM$qudgy*l02I$jgPC7^s7A{F6Yzxph1?JwhlyJ1M@`?O|DrGB0%}_^uM&Cd!x|` zv}ldxu`eGYR$5@;Z`Mn!8L_a)U8|$NPJ(EG|C1@3trZyDf&ZUA`Jo*D@pS+3zQg~! zXq)1Hx)jzX!eI&F(|6z8*%WXtG{#4PDulVa_Izk{N62xTfpSWD&&IU(1VS> zO5)X0Ofd8Y@E068!p)~*rvv)2B#cAf8EiXV$iI_=N*Tj05>^)Y+*2 zxIy%%{%f@a==thDm-5HjwaynoiVIErivXnFb{t+n{7l~${m4o7RSjvh)m9(*rv{Pl|WFxmf>)?0jBr~ z{s6b|t3VjA+!OyC$CR*d*)8;{qQyS;maeA10-qyLSNC{!hE+QTTkf%FgZ)Ywt$W%m z_&;&7_AFqR{Qu*N6|mt-?_B9ChidnYD}b5o z$VKnYb}~|i-`wSLG5QH17QZUM~jPPgg-W=c~EaGQI9U8$DL6Rq@fMBls2_tKy{I z*H#Lq7hGxC(OYm_`~qNtu8TMcawocBX?9HyI5{|(&<|(o2h?r9uKDo|{GH3R;VNNa zWlQv1dI^HGo8WQo5wd1PuGUoBUK1= z=wJJxi1;4iMIBN9;&4Y143>(aJQ$kCfzKOu#6iwCG~gf2Yr`!QSWl7#W#3#4Ef@aYep%?kz#S7YDtwPA0ZiOk zO!i6lkLN4^Kma7+@ZbzYCQU@DUQ8x}QDtxx*Gi3qvF8GWm4UZsh-ZVp}=TAlPC2!mN379uvhjZ6&4 zH=Cac{t3Z&^78a7&zMT*#*ZlPS_2_@S_oMH6ee`VFOe|OsM1Wz^Vx*~(%W=3T?83k zi~j+rXLyj+fe(m&6FMQ2-n`lc9^3(-#qa%P&vcC@TK#WhX99mlZfCIbmlO8f@ zdfY{1ehMR~H!9N73d+h8TyXqZgV3@0ql=OJ3hjrueVz;xuGGyX@UmW#lLW;3)niEg z`uy!iSnS*Q8g&T%O=;LBl!gr#TK#MLH`qkpt|LJ!>N}O-|F-xILLe1XQ~czq-^wr~ z8b*DqKr>r0Hc8r!DtMuB(MRXr0tjue3~N@2h$4miAIY?(zPF6$JPk9FO0H+8zsHf! zvo{mLZ<)REL6p1HJOSB+F6kJ?m<3DV#Y~RpwDggFJ~AC!{v+^~1O*nRTRJSxzY6<& zQ|o%*dOOfPVmRN`ymG<6q)3Hlt;6b&py)WtSIvl&{Ky0In!sQR3Yvz#rk?@{t{SOt*%AQM9nF%ObD zGF@#32qAAI`PhQ^tdusZ1TR=HK83^wh9#j#vz29YgTR)qM=t4$J+^GlJGzMYGd|~k zM>Y&D0diO~ZUP>1320RMZ+YxxCa1m$iV;xA%AHh0HjXOzC0G;N9B4y0jN>ql z=P-`LI2&}6x3~GQhB?2uF4v3+SHhUt2{oTeAL(4P{B7G}P0@7RBgcGN9+-q|UihIV zzh>)Lr1KPNDyjCo0Z0^(KfDV9Ng1krFwkr@2clF7y013d*FF&gE8uVi-)ETcGdx!o zEQrX}CnT-YB$V4xeKu3NY0SIv!*F;Np)NMJ;?RtwkvKXzop|scuMUo@7qW9|JQ_}r z6!=tK4YowhaW49X(g4uhg3MnSP;F}*!;*xxZ^nd7b&x3iEo?xlj5lXYqHHhheIreq zk|jfkb`ue7+C|YOVjYvop_;$` zV&Ka?kHav&!AbJ9Vv!*gy}IYIFva?4z6YFgo7VLr9%4>8cq5sneN}&A)JcO*I=YCz zeY5}lliI~;N4DpEIDLgWTl!4=>EJSmnE3ZAKUuJ->3IEUwWzitxr>`!|U&O_vNJub1@!A0aK&BP!3)D9nr<}IG)0d;AQScbc(a2n8wOz6WkuX z<_->d@@t~*WC)dvf^KQp;|oT+@EDE6@<)=KHN$KDYY@4^fJ?d#<~8P#*e9ib;xIV zvA7*-|AipiLy*~j*07LN*qRCWb3cQ1Yj$V+Wd#4{3VnD1fyi4pMzo43<8n+89ot^A z%#T=;^0&yf@Q#OhIYk|l^Iv&gNI=KBNzpqI)RA^pu?67TX^C~0p=IgKGyD;lILszSZRZ4em_j_mlsf4@FVC{>3c_ zh?=XAa2t}dH(ON8F{MlS+sV52g+wu ztl~k{VH9o%y#y8_%L9E5Fkxho691aU(J@gt?$qcPHgigTj(Hm16aRcvQY7$m<0ZJu z3`~i6s?H|3^s}I5Na^k=Q$yR0P7Dt|I}U>Mzy9OVe~$3GAAcO2VA9sXcmFMV)yxdP zw@)X1ai@S|Hg(0Vy+$ZZkb;i8QA!D_{xYFArq04TcTd%vyQg#a{4=?G)*_37izn%i z{FJ0#L~x`*s{O1C!8V&ykuJP#*jHt_sI`C{JQ9?l{0X!a8+Zmo2Qe&Pu6^ zMhd$PYkhbtmW#IB?Rwgk^M$j0*I-j>wIj8ksWO`AMiKdGGpA(%geu!&v;}-_inbP4 zu=%xYdLWgR9OC29pRY79#2A;7-S|HDzj>|7n@ZP`EB`hnVFQ0Y=E~57CT^Iw!&F&V zRuLW>Ez)~L>>e&`^nb&D|3BZ=ue#YLW@Zmh{6(Dk9lip#ro|IEXvu)XClfcG_9MX4 zF&_7t7oR;6EYw(R@OC^JeTOrg``PTW-9~8cGM0;;$+Z zqmDlTOZNPkMb{4}Z;W~y0m$O4jGQM60DtY@N^uNv89Dg~mq>}d_Aqv2j6t zl24P+rqQy@FQ?IP*pU|0=fOy9ZF!UA(-k2!OnN5F)PRyJQe=_KZjVr@2zPAx-5%-} z)7295ZMBBnSnuh&UNx}xmL$5b-O;wTVdf5lcLJVrYac^DPyP~KcOex!mg7_oTHv@4 z`2gPG{DWY@gp!rV=yY)&q_RQik9gp7P#BlEw>-SZ063lJ!Bq=A^JAxSP>-QIOiJc@ zxPj>Tk-!b(jtA7KVK(mZQ}eI<)g(3-(2m;Jp3T&gKl8N`24?J8brz z+^@9pHMW-J6MH;gw9*eXIWZL5Au5hg(>~_{mc9?^U>Bg%1A6FiGD=dxfBm8Oe9_cglPq7~@jcxRk%4YfwFukr3-G_oPv)ljt=+IC)}5 zGgyTe)T<*cmrmNrl8dHr20CVGdJ`w}y>dPZAm1kU!+JZWVID2p(N!6{I0I7xhiypb zWz@05Jyc()L9i9~P3cDb*h=BLx~)l3KaQjIdXQ2=uF>3dXcATnhzcZXlXUIQm-+#VGFYH|PEf3{TjD!4xjBn>}pCPBFo-t?VGy%j!A?g)!Az-*8j)X$2 z3JTiOgZa3|H9@OJa*^u+@(3azUw*yYc&GN&3?os>&RItcs~r-OGMpGXhX?F-%(>zv z3lafgO!|;^iwM%0_N5qf9{ZgC6H;F;9E=n_0UlG7RlA(V4{Yk~mb0Ipd>r%_#J|5^+S4IRZb*+F{ZB{4=_G7OuG z(Yr9=Zk~jq5s2IiuN&kxxex%+cdygVp>C~()Es9$Su)*zUz#DjlQ&6_bv&H)sIM4W z`YXLA{l|F*+{=ZZNmt@U?*1$KNgk(TmbX&Va3ZG3FOf{kEMt7pW(hI}#k((;VIVUS zhV0f)q~gVUbRHxr1%rkx&DvF>MtM7Ikb^mDSVu`*J`pl})v!NimXb4WenI%d8KN{N z4QrIxbCoSul;n(wU5!rsWyog!1UjihGMUN_yGom}S>JZr%PmZ0_{dF-4&uc!z#=t< zQ(0=hWzn;~cEU$P*h0-JLSG^cE%y92=~{>|TZI&-+%CD*H!3Gx>uwv{#Jt*PAor`_UVyM6%O~6C z5!Whw<`7Ob!>%@-)N#qV@5vLB%jx&sSn?)aNvgK&0;Kz{q|!F3?C>4KaI^A^7q^hC zxd;t|(_r)FoaV&__mn%Qz(twGi>at?%}KO0fWX3tXGGs3IY~?pxnp!qlcd=~yVmpx zlbofsfXe+8%4-V>>X7clnr9`i2U#|RXP8Dc9pWjz+18=%pC8paE>c|+I2WXv=3J1R z3zBm|>gwxUkW_OnNO$Cd)Pqxy$oL?WIyCzR2~xJ-WUMs3<0r)lrTLmIDB&rdZ?M1= zq386Zr58B2-XaU=u?tMar}SI;RakZ@xjwQmnDZGh^qh}6h|2f!el zO}zIvQOhHr`=PJ*KEVWvP5G})uUhd1oN?Ws9t>2Cv+jyl=k1JARSMmD9FhJcS1$UA z*PbInHj`&p0%Pmd6X?Dj(w3Ex3ezj#C94nx??_fP6Sy)f=-doKp!9e8kkXU%v)}CB_=)FbX)Q&zKhFc?yQo8vj2i*ENcu(^aJ}k`Nc*3;IO;4CFeA6SQ z6?Ywt$?bzB>w zZ8|P(E84=bs;CUuI_z0q;RZE<23s#)F`RuQ{TxU7no8_YKQ!1(i(ksaD|GJ?c+8su zvy8QmvOGnZ$oW!QY#+rg+A^xhww@!vHY!f}(FFj>P=lus6)KU;B(+dY(ALLNdPgF<;4P1ylMK)S<3&3vb{48*OS zy3WG*+EBEJneVbjD#^Ip(}vAPGb2A%8*k1Orni>NLlW!Aq+<&EsKjD~bW??a1m;nw zsn61D2D!!x-Pd$WvQ~0g8OGallim0Ao9nbR%+a-I!x}zz8e5*O{w*`~7PPg(8?SoJ z?(3|GH^Tyjdb9SfQ6Gv^o>;C?!?Yi}?UU7J>ZMz3!}TV^57G5*63y58eog4wc_idZ z?TRR8Dt^>mA}ep^c7S|*3y9gmYRI3Xac?7iKQ>EnhOmsJSrcD3wlP#vqjIaf zIqc`KU(1IM`&B=3*st0w!D-{8o5x(WSw~KTw zST?(Sna2zm*>cMt@f`D54+9mIv?H+_az7%3z-tEzkLLU@WC)+UJ8bqaw8>Q5ss)?0 ztW0Fdm%or&OSyw`M}R%(00@1LmwJqZU$yAmGHv2hl>!wjkDoUc9gxk8;pk*93b47# zL-siw@DH?6?&K`C&b`O$6Z7lM@Xbjm_38AhAfHz!;AitN<G7v|OdWN?DTDy7N|Q5+3{Bh7AWXAp3N|Iop>_GDrrvb*qKc;yk) zbI!f_iZ;w-)w*ETF%RizF}|iN@3xU3VN5_xD56>Jr*^(`sE(qsQxE=KL?hnpw)TPP z^U&7D5x;Ox{~hr=-LOA+o}&>E4XnQu`i0*_6o@uV%T!C80*?(o_IY_qc#b~Le2KG` zsp+0~a~Y?cSSTyv0RC&R*J?=7AK2h18tkdm`h`cM$Qt>44CuGPI)r%>Udi*m46l^q z$`GJ56c;Ls7c~!5@m94Lq*xf`GDhg-Um!)C=2~?ng+jI`m-w? zc4$iBENYLXQL9BdN}Za^;_&*VrS1lWap=2(tv{afN~%59#>uOU)g4yL4e93h;6PF= z@wy3mtOuUe5be@f=Kx*gYv@%fu@!&D8Cu?02QsREV{25sd0F{HvewPs8mV%K5P_M! z)Vn!n@Q~;4%+ce|^nw1wnecbk{zQ0?51ofs0@dnVYs($)exzy_xW-lD7y0}1(!ycD zWfU{`b=#o7cR!p6g;+p^=kUFDsnHT+chQM(J(Nx>lw-Ez5y5e9&C0F{AM*vLtsQx50)rxr>o+ znp6U3gOZ9Wdm6?wp78?}CwOGY^sCgsBF_kqxk~(V;29%SQ3G?h#1wiUIDVGV>Ys%- ztE=bj>UoRi>UsZp>v?M!rn`!FOZJ}*{iGnroq}(J^`w;Ank$%-1poc=^u4ZZeuNtJ zs~2!=7iicRiT^zaS(+l@tB-v~9d>CTN~Q!mhw~!s8Q0k7nUJ)uqpTdNZo*J{ z8dw-f<`lP8v&jJePPlzg5ilrsu7plNem?Tv%RpO|H-4c)_-n>C$cD5CqOLBTb z+Yk=N$oXR;I_FzVIc!rIzMtMkGnEi^h3riJ(MNQg>dKd3;{G7l{OZ$W8GJZ-V;sAt zmh$QoQa|rQ5|-=#6>FDMHUfhhfJTO1w#qK~>+MKLQ(QBArNf)zS#_H_4vQFVMy@9G zMC3mEh_}m4b+{6%5FUfTG%bR?Wgnt6wCxH`4*5`2b0d@kd;7)8RyK6%EGkHy-f;v8T6~_{qxfq zMM@gYbY6VjICk-Qqkjz(kWIDVN$iDL1-aLn(OjSDk$jfc4B_TVGa$*5IRT6Hu<(~D z>2)BlgC+$ja`BFwO)y@PI6FKfSV#;j0d^?JB)1_AFR3K#XVG4E8kTgVapNju2uY`HbMA`0_ zFOSc=CCFPj?xzLRx*Lp7Ga~sVY+gbAx*Gt~Sf>&hFoT|Oo-9wQWBR??9;wU)glrE| z939X0M|tX}7JgG&5?RbhZAOH01|0K*>8mE(=(DX*3AUOCsEad>o?7>@PsBu}1Pq^H z0iWT;vS6XY*UNCFvoxNl;cx(us6e{$!*F;N#W#^=6``3a`{~ii=>*+#UmYBKpW@^y zjM>~fLYqfWD?Hb?j2s`xD_4S79VlBa{bWbjNe-$=*u>$sz+*9;1nIz z`^!*0+nn!)ac~yI)O-a)CD2H+FfLUGE8SExS>y-{XXwv<&-)C+e&$A4`Aj(uaJnmp9UXRb*l``~ zc+3*Ewc=zBMT+K7WK(k}(smyXMdst&b%IBuZZr1NDwu^+2muR~ z&%J|*H>EjL9^7k8CxL>0?sUQp-sG8$I2elva;Kn9y}Zb;Jt;Z9c=-PV>1gwhv$Nw< zM50+di$hY;lM3D!X+Cb@$}D*GW^D=Wmj=U~Dm%i_&fc7&UL*pzchr~UWiVfO)7#dh z=SEj)#*SOOv1F@Y9p!K()$93j@!Edo2i7vJu}4ie*{bY-Cu|Yn{76Y)JMz)0-606Y zhW2=fKOG%uo(3G-4w}Pg^Je_2O-Mm22@tNS`QB{(In$lHSizT0RYXx#_x2x!b(7?I{H1d>I@EKKH5QFX|xThDDaMI>VCjw zrnELtm$$^0>kDe7GA7k*%6^M&U3FifC5CwvGL)bUub(6d-Q! zjewy+PYo(}Yoya2v_gH}WsF(lhUvi!^b)HUkz%O!wzeAL#xT0{)2W^M0s0Hn zBT}O5TnEvCK}a{DM{{E!J8HuzAkN2I%aYrQtDw>od^+v23P=S%z}QRYSKP&#NAPP> z5f5^`1%w5J?>b202vg^Eh;V)$aX*h|=?JD6u?71rjz+V1F^1WOu$kcnX5!%y_XynK z#R?8!EYA_nX$U<>m)RoxmK&cj7v4}?Tn}oQUvE0AHyCJT;5zY(RqK4;t7y4-=t{-1 z-{3y(0wzqF3z(3rZ~+sJ{k-?==iLWP+QX;s(7QDw~Q@RY+- zg|#|7=xth>i0SYYXww0gUmBe^SCvoWW*aiC6>WAvZ9fT=qycF ztrCXOT5Iytw=P%6ze>T#*D7@wBJt`p_ur*tc6yS#mWjH3|D@kvDnQcFnZjIrOsA`| zDc852blUtjwsa71T3f08+bZ#|uFVwN*!T5EJLNWhg9VR!Oq;m7{DZjo5j<}h0R-K| zZNNy=-GfYMtwG9~r1Vm?sM;8#7HDRq#u&Cbl`yhHx0iVI0q49EWi> z>V_zyE7gX8#fu6jX37bgI6F`*k`zdYRV?{72p|J$xF)_<;JtR(^3vR@lx@eY9Ad;% zaf<`*k=Xusn5SLTgf607U`Zcke#DRu+*2IkUIF3PXRg;K=EBfiT7L&}Ht~057DkaV zxQKF-?lPWxk5b?F7@H5_KZb$m**2w_lxBR|*uAuYj^5JTZP4B5WynppGxCL7d35eA z;9QAhR-lZ+d==1p=n6xnShQLOn9De)JUz+sW)2=Uuk5ruu$K0@#)YAEEJ|)x(i2d@ z%DU8_<)iLHYBP2uu{Mrw+i~O$9Y%U~6ftxVu_kQY4j~&y5BKH(vgH_JgA04#_@PaC zq1}e?8u3Vywwq@T;2#_o^>$K-!qt#6o>YLgOuQUE(gwo|x!r zCFK1nhWzr zqPztXClK^M;#;;f@a@s67~0sXtwdZ4E7^5@eZ379VCuj&#B*)u;cTSHHkxemQ1M2u z`$#Wl%d}BgDZEl(i%#EK8B1Qp@kQv1JOsxf%h1dIu44l>bp8h@^uS>oyC2$luRGrs z!>{h0B9w2%`L^`11?SuHXYg(Dyql6{qfb;R!2Cv(2JW4U5#w(mrHL9FcrXN^S%P`X zd@L>s%AmO@C>I6gqM$rS3rp?pqo8bJ`%9G2{0oD`RGL3uPE7h?4~)7kO-N+n)+?ea zzeU4KBK2^1QAJM7&9rabQhAVtY-%Q!2iY4owUf*FCm&f7uxaS0cO!$BoEP~LhYO(= zsBvFpa^X_m>ciG$EG64V!BK8Fd)_JkwngZ6dE1@T?WFF%IH%FS)NN|`Gs)$%brPM+ zU96T|lTVT)*c%)5Ru=X=%>Q1pPL@a)b{Tnx;-cXNl1W`S>8D&SJFxM!P_gK}U1!N~Jk=#jz`DoUeslN&8|~ zgf_#*w?`-fMM)S0^UG+yi~~4c{2MuY=C$Kz@^C~Hr!tdE?XN^5_nS4iT21{V^0Q`K zUVzbS)!m9wV1*C)qxedAhQiWK^cf5GMf1Ax_S?D!k!e@sI8NwfTMM6@cU!SCu85y#j=O4Vj=QqmhvTmDakiKSNugnf z9I-j%XtouH9DCS;Lyq?vIa;I;)h*jr+%buNsX&Zn-=Lc4KWly3`bn>yuUB1jzFyAP z%lUeFj;@s2-TQhOcg;+^Q3}_Biq-PyJNmd16N5~AkA!IIv&2u<^O|vDiRZ);Czfom z1xG&q3}T64O4vo5`R_~)U1cW{|1h9(@Kg9-nL6OAcL{pZhyK(JzDyALL0ib0A61h`{Z9@hH8 zo8ESIHNLkqCTk>HZR%m6Zk7K9-fG0cp|}U5ARb>o9z7fFkC7gazpd@C&%)&;+aDcF zM0WU0Cy zdnnis4hVa_Wy^ud4!ZM@$tFEI4Lhr4^b1CtxD_KwYH0GPjEQiE2Pig0E^`NnQ8(q} zU-nF-@~w5k-T(sIb{L5hHftu71>n4=u2zmB;*(xecK4MzZhfCqeOK)_;pp7+7t8E+ zFZVyrvnvXx&5`$h$+NqJ&=1EirJKvY=zLTxnvVfp!LSJ>Cy}yPx>_#7K&vN!m=2Ji z4E0ut2FX{1K3B8u)Sb5E!6j>XVFfLg;)P4%)deQ?2YR0c*M%e^eP#ka2f+IY!oXfJ z|8xGW^gPpslf->;e1tH*Mtu(OGEObw)DliD;nWi5t|S6^tRp`i^G`+OfS?BnJWxbR zr@=*pu%}-m@A&0gA<*u*m`I1a^tC$N<#1Q2d+%uyG|tJOca9T#v)*A^(^)4jswPUE zDcmZC@ZKLB9f~+f;;{3i2EFCu#c{2c`avv&MIv^dud*BzA>1K$oaNRedW3Wh9KapD z5H_1C@MrO2$&zg0w~GZfDCHm@QeGHd2|$~R4y7IVg%rETtMsx{uVi#sel$yNX(Jsz zt2SGHsSheQP4`ZbV%dQRv@i}U(A)_mlsw#BSHc_;MMb0%^SLInhS5TWLg=4o-ZW&< z71tJ!9s?G?!YJ$@Y%gdq$C7i4Ao7JOS=TI#U^#FYvCu|H4n|b9&eQ4x4I}MN>qHgJ zLffI4)NL3HIyxXKGp*`yB-l06{?e&y(@SJo6H?TJ6fcB-EGP)a5oRRBRcLS(8eD~j z&aSRPgR9VRuPQVUjyFcbA0FApQ3aEPzK-Vd>eG48J@P))48A1|R-eYDC2K!?*_2Tmz>cf7Rr4AuvyNdo0vl8y zoXZ~Gl+CWNvI{(s1yZlpT#R`GxY8N!At&*|8;HHMbMw4eX`pb>?s~`A)`1ZMM6Y}^ zmx|&pXc2ds`dMbGzg#UVHeen2k%`%vH_P19>*gaeg<#SD`-)o^l*2c1_5j`tt34DU zE8b~G8M?gHdCQwajSJ=6eY{BmM(hF1Z=9(r^W1o#DJm@7dKBX%vp6vh0C*`JS#bb3 zD~q$TI4jFtiy5;0xvVV6kr;I2G}fS_ndaVNJJxw{46Yc@jZN~9dY#GI6b73^ zon~8csI!MHIMjKsQKxa&UvGNn*8h1^%dB%;r*Y^?z5CBkXCi%q!i3$Ed^#JyKRP_v zIzOI=DHTnETTQ|s<4nAoIZJluQsk3vF-D`XD3l$0qRh7$p%TYI14wQBXPW(l5Azuv zkiY7DMGC~ZrCSgl)Ne|oH);8D=pkhM#WGH?{%sZV#*-Hu0vg=~R3eT!KAX=KzmLzR zc*ZM~QD7dvGE#&KPlnHAiTjLX5YeSlpPG(;{}LDZUzR~a7y-y+9L;xko${HzEFiW8 zxma9+@y#-xwB_wv+$`hidb@%9k1+%D3PV2)zn6jfL6kjzW_4%a3;&|kpEPf4mG#6{ zm(Dy#!-Q5e2_n-tIi?Yq61F#mjV+4BW{qYmyR>*4*mjm44%jH#xr*pqLR(_PH5^0 z6Mb-%+3%czBlO%aSRV1b^3=rno4Q$Jvq8?pw;bCtT{-A?!+X^qNIeTyVy}#*8{`}M zsyMMpDf4hyS;KG5iR94IbhYqD@D=@K8lY~E8BO%MN!KGwo~1se9TI7{;xL#6W=gVq z%CrfO;0jb(3n-9NGj<^^hu+GNLheP3njpqWa9%)Aq?L?U8D|~MGFN{lT=Q9m?T9x_ zGsKZE$(EXeNBrV1Q`pqplHcRBsV&q?TPHv&&!K=DrzB;J(^J-{*Amyh$c6%ew~%qT^GL0^MNVdGVXbGGbTfAa>$G}7E)!Y%~+82@k+Cv*5E zNDOih(H7wfy*Zp5Z{3s6+9rlD-Hl?VZvQ=5#c&h7D`W1XU%t9~l1o6K8cjwy{-i%v zx7nxWu#Bd0j{HuFcT&7#X)L99NnE#uYCnkaxhn!8H$sT?w_2=NLWTFrBVh}%)barO zV%11mJvF7EMbuIFw4FDDCx*X~vYn>v)84gCE_1{Cc+W^pk7Q=|b*XwGEjy}8Wq3XA zBPr>Fj94c@?5EJ7NdZ2aW5OZ?S}DFMFVrW=$TbUtIg$|F4zDL57tpGuxb&_QWq6LkohC_iP0(i<4 zzofM5X|*+^}SR1e67yC*axs()#~g9oozMFiZuW!m_-)3jl@9hwL2LgqtMD zd>Oo#7Tn9)^|UYqQXy`z!<&@`izQ$aIOXJ4+7U_D6~^&Wkgpkw;1jqB46YvFK|=Xx zD+}5q2M7)D^!zZ2AF*lZ&jsd1EZ2TZWii^Do0}0uh{7YlQ^H!a^LUnyWs*e_=f;V@ z425X-Eepf=<`)4s*wruB0sG~W_TG6Frg02VYSyV4;ToG8@J>UTJmapKVwCfnDHo81 zht|2zGD`6(j*H)wmr+I~P>|rElRAN+odMt<`q6ce#1WQ|pv#1o;W)|g`NJ&UTj&!E zMfHr4(CkL(eg~R)i}`Wc6g{1yd>eR~rdYH9{gOxp-FeWy+SfQAXj5LJOCN8=cA`FA zxMq>IoJN<2%3=KaqtdCv|6j&IWa8U6;JWU?h{(b96C6hP5BSjq)@Pu%6i0d1=D`?+ z(g9yWx;j4(zO+t(OcPc9#^C-FH8`6qrK5M4_cxe4>$lxEy|fnkR2?y+80e#MZ&}6Tnt-uDKR>PrtN$Yf|0i zdcUhf8?<`LOW#sQS%z0OG8&!y=8ZqSjN>b##PpwdU#ryg%)9U-Kf#(^K3r=;XJXEV zDNTgmX*@SC`}7lZ-dt61Cz>MxDW^O7YwC_#j^AmIwC1!&PJ86EN1}1XL+jfIrZnIp z*0CY3Fa$;6PW*!}WYhg{!?`h*l}yUpE_=J7yqDS(J3686g3xr-)-XlWzov0y5^Pym z$UosDr4@izu}UJ2v-`R7Mh7Pt!Tt*NalR5&l&BLxE4g4P+c^ioO{uTgQmIcs54zm% zT#STl(fKM8qFYMjj*~j{@dU;xBD@A4Tm&HHc0FkW7j<(#1T!0X0iwCC54m(vQp*%< z*evX{7G9F21Y*K!f3BY_{Efm4SlGQtI}bu*|H1X#zwVhsN6(&vmabpsUW2>v8C+xW z7XE_kU6=dl;L(?-pcTB09m-67-i%@+OiO}TIia)%3}K$kcxBE~obmpfGBT?qv}U2; z8@viL)>^%}x9W>&n>lfat65jcb<2Qme*x+4Y8rnrQg!`{zIemGuu^#OFFpBbA4M6L z!AoJnF+M`RiqSzBujZJ&SQ&x5M-Z z^}tc&r3FN_Cu(kzJ4`Wgk_$0#_}k%chrhM9p*g=}hSs0SrSgh0F0l=suNX zL!LG?2<9Sz^F3!lSZiDELTd~5<%AE@1O=_W!P6%HiSBv^wBaLk{{gzzG*!nfXn|<+ zQ4X7gy2jDaxoTAbM~xcv6a~vu>RphE;we$-Id{`4Vk7#d{36;83F~u^`KR`PT6EUk z1TAD~c9yUxrSVa9(fktREkKTBh+2_ml}YzgUZ9|O(K4HnmV%{iPErO#)E~6f5bdVd z&H=hG&`_+g@#jVpq!Dte(|t93So3Fo$zOO`q6}52YQcjAd=#eYkE^MqQW~%Y@V(#v zc)+)!n>i7aBnNT0TIkn)m|NGp(ZbIdaz7(+3a^q(XA>c<}k==*s)`0l?){Q6an5Mw zeKVCy#%HD9+o$6lulJ{L8q)hNon871mLD6Sp=fe^^zrFw>4y?hJ>Wcuh9}YIl{*J> z_jYnP_rGKq^c-^k519cAZ=U9(yeF!Q2^U4Js1PHsDRPwmOqxNg6~r0iLN?PT^vRaN z$9f0NE`APSkb6EVY9V|okz5db6tk{2&v%Jw=_2t0t1K0F8B4wNGG6h#cGp<2Gx2Bf zMMSDCKDvqrA(LW8G@GDFhSNQC;;xL1%zomN&&?{*Mx;+_Qot%t;}^;!_#((gSAS2@ z5qK6a7ON=8ZpV~OG?=d76w>kBzxKm%8e9xnGP?x2Hp3u>F@SqWn~CW9ju!K86*8&C zTs7GCDu^l=w(GE72Ry$G69WpvvN{u)X5i%I>6wOa95csw<$;MUbU>U{7`614;}>a^MnCT#aM~Lh}K<+VFs-HM)Z>pBZAp zK0S%(%O}{(zb*ZlG4}?23$GD6lFmS}Zd-J{QZep)i@Y>rrWdi-A zji#IcrQf53lz@XK6uq+o=rY37CFh6wNA9?)HsX^y%_rHCO&C@z@?5v(wFjy#bXCv`l4>+NuVq@Hrr|{kuC9IG=J2{0BV5~DrkxgM*ku%8v zkN)f>WCRV=Eb=VVJXalCMAgLUEHn>+gng zAXG>D_L3;9z1^v<5e7jNBGmA3lnpVv%IkGeG@n@>p4ZD@P&JoyVs~H++Yy|jElD+Z zH1=1ncPNU9^Q3zi1+%Ft*@QaH2gqiXarJAKAf}5cSIh;wnRqQ8ja@2qNcy-Wsg=*$ z5D%p@Fh0XZ_fR}(D$ua?9uKt&X-_B+w8R8dEn(FOn28&)4etx(zY$ii`OY!;yVK$P z$#wr96+ZZff+Qk(aXF-BH_J9Ef`79H+M(FIh(q1_i$7# zv^o(Uhe|5(u~03ktZU;mu9iu!P(0=+SGCYp&1R%n%}672Ft4ZE2&{86^<L!h2(%`P2w@sBkR3$e&R*l(OKy%FJ}zV;%dYAI6)m}La~htT zPv^g8vbxBceFj3Wd&2Ato6;9;sA9id9YDiz`Lw7#U^otQCP&H?jQ`ynkk|ii4p4qK z2Sz>Se?4Z{ctv*dPiCa%V@_nqHg~)D_wU5V?uvLo+ayuCbp%qEfi2TrHp==R@^5Or ztfhx23554SK9nIdJf+*My8>&d1X}@P_&P2L!`XvD9LP4x=!mwC-R9$&J(s}b+BOe; z-!>0L*5oA~^Q$VZvsPzo9F_g}ORO{?L6fUaS4Kb9+Y%yd-Kwj2xy7sIsqWW`1WDN- z>8JFf7lkL9Ho>dJ5*iV+o+2wJF3IzBnxuXfn0$wAJ_l6PfgtDh& zKIb;W5Xv;2$HD43rE}%`YA(;dxo5mM?yu~0-a|3LH%205QJ;#g3Kp$tHPCzZqxlUq<85aMiI(YT**U` zbq7Sn=Ek~381{hOvTTXVIru4^+>9n#9W>vWFnHcPewH7EvCf{Q!ezq-y3J3PTtj`m5ky_QYEU9=w)6}HLN z$8BlLAyg}{3~IN4Plja?u}8`nTRdGQ`yR8~J6Cxc(kbDlQRUWBw2}H9&y=t00*!0l zQjpQ)U>D3a`ACKA1q@;dW@WnKo;hI7-5Sb{3}%{w-CT%F8ZwH}XY;~kipHm76k!?p z#%DB~rM8s_qVN~Vj8kWOCCrEa2&MW}aIzfS%I7vwC8LG`T8zu03TPzPGEIY zG-CY6aV>(|aPC}(-r)As^^FP9OE(K;lq-9H)kRSs@wE?=JiUR3tt(*m#H)6R*-Q1! z)?tS>*~5}Vl9+3=g;SMtM#Fh6XXioI@@h!YEAASvQkd078fs1RWxiw8@;uR$mXyRp zCK^O^#^XuEPkMX)51DVFKBuPNWI6u#gSkU1J_hJF27akB$z_1ep-I3sb6F z^aYxfO~I1>d?F98CWl{CI?mHfhI4}T^mfMBGsMw=9rW@7QIVT_WLQt+oJK8We<~@E z!ZD!-Y?z&#Vp8~Q@h09r0a}_yXy6t!!?BL?D1aMleYm|Zr(l&nj0rI8aO?hap1(S4|1_uI1T+&)4)Li0-VSU%hC1Tgit%wg!#o0!VQr{1hd6wI2^ z`t1R|GY()0HE-bEEcXt{$K>AhY%x@j4^m#IF?ZejAp!cJZQq#UR6KpSoz^<&98Z|1 zPUO4pqgC4-(JH8ZnzYY2z2@qSs`_spOhwRps^)99YXWx=QdFSl2Wc7-NbTP#uA1^6 z_n6_yi!RSSmY;rgZNq_(V-Q#_{E5sRC4XsFL4#>f6BS)rjbm(mRr zW|1+*zi(9wf(40>hTVt~ZT=vvI7BGXfnBh>eOX6^+OtEP2l*(o#=8}>=F4S%-ksxq z4(bI&5+*_kd+?G5z#L5SG`CWKZ%VK={Eq3c#`SF4c%NbPC^7{OXoC6i)CKd?I{8&~ z#l$A?KMMK^|L3sal!~u1y^E?05PHoPW6}ah^@zr7gC1l*Nzvy`#3rk-L}&52{7GUB zRs`hqy<-_%+#jw@NL zcw!^`80kR)|MHlJDdX#35e0Ir|VVP!K)c2zjgwsw9&|xvzhxNx!RcM&+fT zY4bPVJTYgwM9XeGqozV{@dy4sT4l~ljp+Yh{hVR@U&q|U?7mu5&BL7q78uj`?finY zkGhsHg$%z0Oq#riCf%oJcT`|lDv;3Ak-I3Mb~-F99dQax4OMPGXj!hq7U^uI7g{@e zqjz1-*r8li!IwB;G{=8zj$`*t1-CQ5Aqn;7r#J4@QgwbMH~N%yTF@SVk($!tZ{m_T zx`S%{u(eJZ(IxuaxO8d=(M!2v8hDno5~ApLEw;}+zVq#3S7tAr@Fg{Jh!VMxe7IU* zh{!)a!dO?;mU{OFle8$$mDFVgzTMj~F(#P|9tudYjT6JcC-zP`6+x6?&@?&9n@ytS zo|9B1%AP|Owj4|?ZNrO1?c>L7xhdewPzOtc@J$!3vy6%gT8S}L*UqVRruY#E2jsLD zqe0f9)?50GDl_sLA#>`>od&MV%fsPlo{`<{A5M`k(u1o?ovYT<{0%^t0otrHRpWf@ z)aCsovO~T{Bm@40NNBT3aHZhd^@srCly7lC!cOq!_fHn*Wbv`QHO7gc<>bM5^eGxrOj(q2^sofk zHGGP4Uy%664Qw2|4r{*?;>0(Z>R$a1hlAbCSl^cEkD^jBkJc}-$%Cc>d+0`-BnvPi zMe+>UZb;IiGCiV|qxf+nDsfS@eB3O-aH@Bo z?Vc`me~}`8Vnm5Ohs&8(n&H=$nToXexE}?j-8d~+|4+s9^7UvVkDC9yTnR0+LLvO> za$dR2NtyDZcuPE4Vn(xxOZT!kf6&5vCA6y2iSz(vinNicgh$XFfUn$V0Q8Q-o+ho= zMGbPdaoSe?p#p@i*fZOUaP9zVu6{qBL);|5#_TMm`I5vCi+o7BPZ}^2<}^KNGuXw+ z&}SpF7TiS(bLbQ9vaMG0z&qTn1pdG!I;#RL%y36mrf$9G@97mNVrMKl7A2HtGcGn zO|uP1cr?8=D5;pF(+hIf_soAUD)gOJo@|TYP_6suH8H3%njjvgQ(kIJm%md%{9KbTQo+*hmH04Sa1=8*HT%)4I{(WvEEq=$h*oU z1r{l)zekW~+z(jC1bHj8drzIxi@3`NNn`4;tJI3ERevgQb`POyM;GF5M>~t$gNTi{ zY!RMZW=ijajv)OWbO%c`9H#Az#W52K0Nr3Y?+yOi`8&Q#v+)@31|q1d83NyJ+06EZ z46n&ly1{{){So_u!FBEnf<%n?6NiE;U^?0#-PUeA7El;2lX06ny4Qp|sY}V?G<#@lT0P^A{tKjh|iN{5{5tP0=O8k6+mG&Of&Y7}%MwjkkYd$Y62hrW)EI&GA zmCmY=+pp~IZ0Gg9EP?t!8AB%^1sHj@9wV4SNRdPoO|526#)*~QglKDlU=I~-;CpBo z%~M&fI(;-sJ6l07NWQ6x8cnr&o`k01C;`3U&0ZwTJFUI)`OulEFx<;4Uj*=gt-pMp zJ%V)5!{jA@5#>DzirMfAJHdV}eE?6@CWs}Ft!0-h?%3z;fJ)msGuQ7a3w^`eIx|cw zmmhSj+sUN$v~ETvbAG7>9WnpJEVNO~ z{5IER^{$c{)(FwK`p`XnM0m{d@BkM*2oy9Pm+lfB$(x}cZn{Jr{zz0zyNNaB&vP4j z)m)`S$Rosd5L}a^3qlgDzlXmmq9fm0P2VL7SDh#jeCRK&83Y#~?ben&m6eIuf_DPY>6iyp=0%VLZ=tBLO{c{^*|AFQeB4 zdF3AU36Y-tp5%8|`c_DM@TU;s^snP`g9K4~P{4Q~C=yuicVq2%G*u0Vf_`=3`gB<` z-3e-&a_zUk)b{xdSh^aZ*>H=-m)TBwI7&_9y=1(H`^|-@l8f~k=DID}9<;%inv${+ z#Mn%-)McQ^^talcAqQ}ZdVCFNR+q-?;Zo% zfu8g)j`X&NDI_DIqgV0i@scTqb}t&8@KVKg(~xAhmL-R1j<@-SH(jh!6|2X0Khe&i zJzcjQXee3hUu6+I;)bXj`n|b%2&>_&eOB0oq`xcbMH?B3u~buIBQm@y2b)b^R*TZ5 zoz_rPkd}xJJwzr-^OpNzV@vE}4@fXT{}|DjZ-Bo+_iH6ICO<&g zyNYFHhRBxf{flNi4H7)5XIiuKvAt0@R#jZM2c)cDg6N-x5L{EsZ4LWfU&7z7vGsp* zEd+@j9PvW^2G*bc@)&%u7Tw6vm{@20V~oz63*=^KgQfW|N(}c^LWwlEC=)~AMok|m zyE3kiM6$~~DlX3m1pJm~C2!tWLC=}8S7`nZn%;FOkIe-Z`N@__T1Q1CNk(Eq=I>?w zvR8QMl|{2mDsQ$*C~5`A@q1_>9Qi#o#Qh!`V$fL8wn&yExRx*eCtiKl%KRGOmK z-8(dfH>yRVT@v;0#}rUCBdF^mD%UMr(nl7bQq-Bn%A?TsnW=8r2gqY{weTkeF#t_V z;WR*-N)$1;Wx%MjH)^0XiY{_Ksn;JFdB)74O);!X|6a`>c2O?BuQ1cP$QFI1^l=Xp zhZEo!`aOQJ$2W3@Kn)YB=ZOz%$6`5v9scDM4112)vXzw|`EQP5M5h7g`Wudq)sr%7 zGcblycLnvWUO(Ty5U@9CE}tUmRs`rGX9%kLTj!azsp^5JrAlB;eOYK3{DEYy@eg$8 zQdn?3{oHSE;!3ROjL3&!;mColCD&zxo%`6Y1p&0HdQf76ww)k+uNit%f5Y255HDh@ zs_C{0ioi6r3#DhEIT^@p^-{|l7HUs_L!E)!$^`VT788BwAX^&xK)-`4ee$22PWNBn z^BqLV0O`52%~ZWb>H4=+9>ozaOYc?>s||d*m`@VPg-mwytbBmHmv~?5cTLazs|vas zdL830YPm%tt zf5D8XDXky)#(0g-?>1V)o;|0m^1d>x|J<4r#7p3oo(5hvh0DD+C;0Xk^N01nrTyz! z7bKuE(S67ErJL}T)XPv!H%e5GkqwUzB30&fC~ZXI$B@9dfpkOro1nC1yiwa4^F#JRAa<82^KwRJFBSw z7qP}VGg8%ml6o6v(w7kInPss9k`MkU<-{siF#-O9tm=&)kzjBQDopQm_H)>Dhxp{-@B)BX%gWV(+}g%Xc3VI8Z=LVY7mh^?+V@H4( z_!|qHA4*oG^Meh~#P~>7tSfQUDb!AJ42sn%=ZzG|SIzbP*QU*BTjY|JM_)uBYHKv=!gqD^ZsERnUAa8G&#YvaWsdgHA-@NCw@b|Z zxlBo-7+yHV{xOn9we6`il`G2ajAMO>etsyxmnGWnjF3W7HlBu-LlTszLwwp`yu-y! z9Me8C=pcITR#Y4jCHIk@#!fk+?4+?EZ+HkU;nYE3+1N;9WjJYC?R1B}VbP!@|AAD6 zC_Qz46IOi2NIaD_Ca8ptG*yKZs2QeR3b=!@*9=c6>UYz4gJMZqPL0SpXOwdP-r}8M zv@GwW!9KK2EUg!-(Yxg-{gVIIq077Q61}LuVLw}3*F9Mp=MrwC|74Fy5f=&O*t*|9 z-FXCujH!pMQ;ehj;g+mwbHZ+xTDAf}vtjg>g@bR7$*U?}THs21zGB)Ox+9v9rtkAH z#e&g^^q1;JAxdK`5V4%Bj8Q<^`>3)%5!9X{TsXvq6@4g=xg66)4BA-dKzF;1qMItkfH1diQwbOa^$U$N-O$SEVNR@SGu!}8 zr{4%|Yml_D-9~g*8kXwIf5VOCK0@|hq2{Ky zb#*I!4(>>r#d8dMz5fk2juOA*Rg}DYK>NCk`07aF1i<%u_o43Cr*c!S=>V?ccaHfbDR$ zAxiD3Cegc>5$MAb9A=a4S+V1rV0*XJL0n|3BR?06uO6K z6wb*{)=81~Ddd6cIxwUD3hlIoL&1%k&eAE4t{pnP=B^99cHM zEce1M%RO-Rf>ol4YGj(7zB@&{POW0DZ9cPme0%PxoZY*YsVKXETD<+3Qtz-!v+p6N zt=n2++Oj+JnI?R_ea(FV=v+~_ptqM#+cD0oF1z&PFekpQVHK&^09V;$_16Yrn#z1&O6|Xu|6y0B2i6BXo5IXB*BMnzle$D~OVtI%<0}S6vhu6`Hwd zbtp7v^uIhB$W6*r3?)^cW+o#v$4v&5^ft8XCibhT{q?8Jl%7rA%&w^h{Hy4S1BdJR zU>&y#tU`j-A5k$Qf}7nbqPMJ|;zLMmF$mWCmmoMGxy|`s%5!Mg&i+*(sB}Xr_C!r1 z^signEtj*T8Ek=KzWOSs2)<thiORbi2$Ux8_Hp(GzL`(OsmYjJUc? z+Q8!g&r?Rix*l_YCDdV9-Iq`)*;pC3aO`&7$o_A@8E%C`>%>m`M2)M@*&NDLPd5o} zgOoH~(Rv@YE^kEL<4lgMqPjo)0)~`RGYOHwgmLUY#AttBbcAZN0O)}`x1=b6d-Q6+ z7n*3&&!O493r;>5C$=H&vTB9ib!^}p-MUfFE|L!*2F#JL%&$u;pXbYB8;8Meuon?n z6b6fTErvJpkuWjyF^t9yu!F@)4*usQ&PioptYm?3cZ?9m5Wt zJv2*m9)k@y$5T=&ROXRm>wz}Gtx2kE_k|HI5HrJ`zGe-UmuZ@>2?#PDge@WhUc}_YO9p-(6 zk`@~L@)t%P->EE;3&S#xHXAA-xFm3$-X^qZ022*)dmLuJsH-ojhTL0yUc=!5>p=}Q zZ08k{=3k^&ThY!u8N`X>5rHwHr&?fp)2S*m7(04+d{BmY-*L#{XDw^@yo?Nxrk|>y zRzrX0TgvQ+={|Cls}un*^DZ@?u3IT5l$dDBhscg+(e2vf&}X5 z(>tq2R?+dBSH}M?RYh-;&KJL938o^b*cLa+`5Z4!yXB8>GETDG-z}M8yw!e{`X?(U zRd{%Np)@hof{<4ck^)=4VS7;@iRb-}h+u*5tXnAyJoIEL5fA84iN3+VT_k}^CC*;BJ($6u=JF4y38j;A4m(&V`2c(`dwm7uG44X z0h#rDVx|7{D#F&y{Nvoe;}wQ49cy@Xyy({d#dWd!+xkipG%8aj5LC^juu+a^*U5r0 zUn^XQR?~w|@zg?_jWFANpTF?LwP#caMDM$i5=<>M85-}c#F+|E0KvRrEl4nG7_%CT zciuDE=!@fz!MeB*FAYBjq_ZaXQVI4l?rm`4wDQw z@?DK5y`{WLu5%8N5K2W7;~ncCAI@1n7I9MMm}wPr68E!FZq%?ODRhultn=344ZN-+ z{*Fc?5PemlQKiW3b=`}t3cxwI19;b2q$~fmMs!BuwLY2J4d1gZv?`&{K2lL_TT-_9 zx=^w?Dm=hgHK4+I;P-0uKXgqMz^*o96UYQXvG(NZ$F@19qv*62w5jM=m2q*b*F4e4 zzI54vpk*cNNH%6OtdrIkAZs^|yyRB=KhEey^BeZ_UuQI+@r*$u1fEnU1#C6kYesM% z4!o+X)uJS6bmxn_+lKWjoC6a!j9<|zu(H(W<>f01q$b+TzTF@bC5<|eUGPifmr$_h zpY5tdYC(b*<{T`zbU%n)$bSS49O*-4oCP;UEq(-OI!GhI0_s=fKo6|S{{jp2S!k{6 zQ}~T)&mNnb&Qs==a_S7_gSTD<2%_VQHj){+_&iq8MS`($eI}BMqapwU71VhgusL#J zBv&lmrqqI%zq2;?Bdj1UpZq9QdyFS&AFZR*q;74gqEFzrp$#JYS$g^=qaUk%7HD63nny zY=;QD3?X?SCNP%A>V*y0NIY8IyveN)^i0PO3FzqqMsEO?TlE^9j=$*?5133f$DJ4O z`+H$UD9c8oReftx)Mo%G3natQmYk#ah|A-L+?UHX3Dq!NOMQ<@=4?8Qm!D0yhcT}iS3YRgDnrihc|dTCfA;q^`5x#SK< zH`uGKQ9BZgI7Zd&p>|i8NUQKr=JAOM8i_yDJOnSUpsjL;6pX zo$u?^QNp1?UBsa9#sRk-CQ6kf)H94D@I@=w>_KjJJ5q!30fTN_H4WutgOAu9LKgBW!cw-$K zMaC9~JT_~0$ts$N{pzy5W~lX#!0K{o=B#gHq+);1`MbERz=~*|6XJf+{Ow}72{R34 zCmUZc`YCMn3%E|`n7!SX5xs)rRMVfvN6Cqnt@p1y*RGwVJXj5|lC7#i{Di^9d&dgu zb$1?{&og5jU6v_b_FLJ`8l+G10Q55@5mY8ax~^yw37%#o3hQP}{@BIV=zrnClq z31ldi=##3#vf9hse-Fnd+gx?;&|(}NKe`LoI}V>br<}`8pN_;*twht%PbL8fXw=6B zT%Ma5QsAOE^^L7 z_!U%aL-n!3&Z~PpX6EdoQPfNsAAv2qC4VWf4|@89KS8lc{-`=bl;P~t z*C*rHxLJB29|q|%pt|APc%@%|t^NN8*EZKlmdG$+AmUfNy^W8f;nWrGhe|YXMJM7 z5@3u1W?X(K=`oF{$`NFs_CA{$pm#wGsvF*?0is{-pnZ{_TT(p@{-v~|p^N1~M8X3? zIMx~Ud|{I9uhtrBF_b$QO(~|`exxzem60?WdUx1juh4JwZ@q3Q&HOu;5336B?$U@`y=fTeDn_+aId^rvTkEyV5 zgYGP1K%tUHvR}fG_IQH$MVUUG2m9C}J}-wFOl9$XTF$hEf{X7s$xi9|wddN1)L*tD zyr@s2LBS^aiK-?-377S|B2K4kReL~9R~% zpI!2UY2_lWO7mOJUD(DZtRfPs=V3nyJ){ozaEe}*vzuPX@8^N?*B^KX;&R(;b?c7( z94G&m*1p@3yM#PgTVnn;AiU_@)2$@l9hJ?NTWFvD4HN>jA{%vL5rudmws3ur=XX*u$xxR-WE(e@jsrr}om4w%tU>&4HJnTO*2A)sv zh3_%75dY#(H)%6xd1X&>D!|LACVyj}^dbN13k45J=F=W;qKR~+HXwN*! zSX=H_FdQD7K$xv?6JUof8@`tI-~}pNsFC@%>?+R0YOI(agBe$Up&hRA2C71H*c?mG zj%8XLNTXa0;yods@wkb-`^oS2E-q95ic{08pq(Quu4oN&_;BvkjL24m=f0Z=nqBC^ z(@++8v+eKLXTC8ju_e3YMu0s`NNG=kieO{Ms|(z0@O`L3bTl7ZdpnkVASZrg2)yO@ zWbOepon(^W9|b_})&3n7#W7T~TD001pWpten;v+?-=Ql%l0c*bxXw?L&M?D>wS@26 z?QcyULI`MWFtodU#U{;ZO_5#JX94mL=dGo< z)2_>*0mpYhvGN*e`k_Zk;WKAq^L5J_&kNhFE;&%}v>~ef+Tl#C!pzMwZWr)Qo3!fA4F7Gv_mRD*gr$A z926jYr?!uvt#vUnGF1pAu|k4)|9JL{3VS65RzoK_l27k?B1hqpc z1SDiQ{e-(hz7k)(Ce?(6#=JUKLuBI-InRP8A0~V!-W2S1@6P=tH&g03Gv_y-0Eo*qKV60KybS zGf+reE7*iHIeguvk(}Vp3dw=RVwT8mxv1r)_`vQ)vJ;*edm`MTc1Dk^TZnV0*B`MJ zznfT5j|Wd6b5~XEHfDRcs~4s2g&02+8(WQ3NJ2@IR08j5dahH9UY^1! zAt6PP$hVe=lbU2Y3nLC?-Q-Y2;GN{O%TMz8`d@W+Nri|vo!y;j6b{T8trytPO-A2U9tA=^u{f( z6)}x3KZ*fX5x37co@o#7X@Npg9gaH!5W~`kk7f^x6_}iMKd<-jaQ<1&mCgG;r`fH1 zx<@jDlND-*h)Ea#g5C)mh|Yp|7{X{XR??~O#vacyyqIsUvZ4-Q;lB=t7LvV&@0fsS zsGA5JSVj%I1k=X=E}Hxtpe>*89%6j$cdUI17 zzbW%P`}`m**pwVwE0b)ZBZv}CI=kl{PhnKscEuQ56uH*N28ta5Jdz-V}0%1?)=QSK2=n$;5%RFBKrc)TU9u88d{P$ zfHaNt|EiBM|ElUE(^J?_BxQ>t@{~=BDGhM%eVv@DA!m+0`Y3BGEM%v*I5WhDBJ<|j zYj;A)|CU@X`-GhL$?$jr!u6A8KuWhi068{1ZIhty2dyDK#5x+(m(e~pfEy1M*yNfJgqskES8It3xe8#3RTS_W?bSnz z9t~;1Lm@*%N2?j<$OgosMqWU0h9)LJ_9yMtYWjfEfkAPmVJ?IDff)35?v(ud4iQ|Q zbM*nN!fBVMKi}eK=O+_xcN!M$(e#}U`jam;aGhbt0UW4&0>iWCO}tVbDh^4{+{iRI zTA0cAk32X9{WD!vbd7Lymh?RmZuX8ASS>fMjl~qiY{GGwc=MUSqcc?Gx^nX?QXEi0 z#udqmGWYxs)QM|vHgIDPYYEBH%znf3&`Ag#=Z;n8im0G+*}HXBi=Ru<+^N=11RW!o zmZD?L20*a@;@#5ZlY=-b^u`caHWuQ30G&;d&awtXsDnyp2(4F|g*!Qqh^d z;fOuPB$j!$K=6%i{xEk}G27Qa`XV5OdZ@V*iUdGwpj-%7EFN0}Jtd3FwzWSex7z-x+lFGAo*=+61u$DZHMU30mtk)a>SO1kzz%=s&#<;Cvs3}w5#w@n!giW z4az&q@O@Y=Sk8-ezng`zKw#-s(X9t`KDg9C;@wRjm`9n^W7@HIU5aF21B+=o)~f^9 z4(cm9)tAo)O*AkVZLcCu+d(lqTlT@X?v6UsRVA7NqF|*$K9MkVorWxEdotQ&Hw$9)K%95Y7j{7LgA+u-!`eftG%%b5ER#+sBot(v!cAexc5 zgGXWb(y2`U6Z=&77(?}CoM!9XsyC76X0F}|VUqk!TjlJHp1SP8WnPu6Uvb8pMgU?B zVO~$9h(w8etUyNfWuF`nU$j{Z#9lp3k-Y3(*0{1ywfCg9uyHspQbGTRr|ddI3sfmF z_zdlKK?_W*(JUzgE$ zV;ARa4T~dohUwr;oCG~LeI5u3w-i_cq?OZ{d^LQalA zk{8n0DF>keWrHxh;qHSYOv!JO-O?uh#*`g*q8r=o!CsR3jknl9v81FV#A)HtA|ww2-azd_L!13W z>VR?xDz_D$uI_Yl8!)5K{}f%wIayw6{gz-|;DB+>5xoO+Lwnlm(=ASlzn9@u_Vy9f z19115JE>4xi#s!Jkayg>;Mvbq{i7$f7wFymUfsJf%_sd6o=>)YtOOTQ$8aZozBNoG z!3c^@?vFiy`esdQunO^VsCOV6jPsaMfv}*d7i!`&yb9YFbtkXv&lxGVQ6%hH6kSml zK%G0ADIb9}Wq!p!k`}7L3N%SvQlm{O4~;f4tLs-;_{QJl$)iu)CeJBOR1rbKPJuZ7 zPr`JeX*_|kzL23xd{WmZ%7z@u}Y z`*ITwIsv=M`A1TjW6$lw-5|2MLkcE;Czn*g=GB07z;=7+_P{e%eQS$Zy!mt|m-9wL z?2O`tl(d-6E82Eq+hbYxXh|z2ORoxf0{4b!@UaaS-LZ^0B1`I-PwPj=D=w}!jDs4M z;Z|%*fIXSj$|2(^9C@->1S!mUH95h)cjdn87zc*hSnoakLG(FiTd+s->(%x$vV3Rvx z_dom!>r%V0v%f`13|wR1Gwk^VZ!yPgPfpCa8G9T~6P=)8`xlayc#U#MPeoM#g8=M( z3TQReReWa~a*9If*Hd{McL^AA7(T)vq=w?8#Cs?C2p}A@kM{FnPFzHPS0ECZL-dYH z&&LABRM?iZcE8%i1CC3doyoH?6yAM0N!z}-fo*pCX9`zViC!L&zG61&_ivw7BqqrW zB0dd9m9PVdvkR;xl=uxMj4?**9|=32kjtoV@v;LurO&u$k6P5fmN8jP-v3SIG*sQ! z!MHQ}EY_lIWjrw zVs{}s8%x~AVPoRn)_xUY^QPFFPlcOXsnRix)WV=1cpY8zZaY99`#TTV9F$$EVFRi3 zh$WVC!W8z!1zLAe4&t}WgR4xDawibO20y)aL%CD@0m^j1UR2puSM@;dTH6rmT&JRW zDbdsND+a_S`K^OUP2qDiE6(VX!InHXI_z|PRXRj^cLzr6{Hv*Sma<9X^y9Cz-ko&S zXbfRPBs7D9CRA?JG};i#@oZy1tDFt(y1lz?4-Uxwsot3ehUnWWL{zkogC^vK@oqN? zY2Xn?Lu|PYKefHooFbd*lO)*ISC`*e{EuL}MfHb^O1-E-8Oi>~d-V}!Ni0nB6%0GH z4WF0tqV-=R?6npT_sO|_6X?nLo)!;QhU3#~MY~69;}ETNouuaFJX)&8k9i~qQE7H% z(n|};&ebNoch^aHZ2n?K=}?jQw`GyIPp;qKd={v4hkKGFTg$~P79H!2v5Q4$FbB45 zbV~DB+1*gJr&Z%PYppA;BvqwWfMx3LI*1Q#pR=|mai6nhzj5lWhV2V!AIrZLn;yw% z=J!v(34t?0j9}L+#9yFLhhfO4g)0Aw#T< zzr%z;YN0rD%lERer49azY;qMQ0;5#+qNT;fF!OrXgrAND9Mc&-$K)Y>BH*ah7u17W zWHE+TSNisS-kKc>QXJF1$kz@6{3d??S3}{ZE95)@F@pQ!i#@HiyqMMw9E9^)u zS`0@gIXG}HWZ~Wmcerwd8)w=vI1p;~mr&%?-zKwcmEFz-%94DS{de`V^Pknv3j+P{ zf31E7FW+YxbB7*Me!|tsXEj#*xsPsuK%-6k*tZj`xf#v}jvopj?0vJO$|r_%27*ta zcA-iy?0(afs#k+HzF!SHX`iV9iDu$CJ8ugR>&F+A5vJcP{`B2e;Ad3SVNT|2tgZ(;b5WL7dj{oWhVOq?~&!3_<;#z_N@AT1pAKs?u1b- zJvo#-Lb+j-sds(*6U?vp?*v2QP2ig%dq}JWbvFK_jW(_)uiQofB1o;JQ#`zFV9Jd5 zoly}}9peiH*GXhs{x}%JFxp(VO}w5y2r7Z!R&mz>VEL6C2(5S%Ehd=0AKN7}qBX ztcvjw7_1cJb87;*Lc%gxB}PR6s!Sk>!OPPN@D|pRZ!1*5py-$G3>_A5+=3wM>XBbuIG~ zEwhG?VU9i5Ug@v(2rBbdfp+yw@yNdQ{)3L>%WZ_{`s+@{P(m`eEfEVm6?$Ug7aheX z|FJ?~G``BXFIWtWd>ALv%kfxjetlR{sbps8x$$Agx&cKouPZYMOCsX!g>$J^#P#co z<5OM2eu)V)0NIYZ-|ZKgbY;p^z8qnygo%6(@|^p!eP;%^;x|Mq)zDB$Zcl&dY9<(& zqB|kS7_#yfI!ZjEc_WL~^gWlJkRJ@*O10>4#bw_xsn{nGk;B2Y;m(nB2AUesqGN+} zRd5l;U^z#h^o97in%}gq?q_*l#C2{3K7_0pzL0-=Utd9-?pSK#W327k{q|D zKMV7*0NCxK0;Z)+Fd^O&qu=J#E6+^uTKcKkfT|$zga8GXAW?)uvg;%ZjpE;{tn0NT z)(WEC#}U2r>2bC=`HER$&!jrpP$VIb1r2AR{X7eV7OVw9KnOf-fiV?zc%kMKyJY;W z9=1@N{^INM;sf~psV66WpZ>bP&iphbpIr6H_$)T~j*a$SPQvG`Ho50q`cBaFJjkYY z!E1aFfsxgZ+i1%Fe66bFa&Tn{#AKneh1x6znJO}s7j)>eQYp%PvyOK=z3M3?hNQ~pE0)yl!GsWqtB4rcqdmjcN$M!{kh?MojVQn=l7NtM1+TWbI2 zH(bpXDK~ATVq4UM?(dts#3f^m3fxvN`+G@?;_+C|O}p?(gh+&H+uN3&KZ1Wkw}z@%fJuU07#6 zj~Db)5coa2MvAyt-FXf!vWE;)fn;M`hIp8cn!!2&A+l;66|qY#`ZhJpl=vz6tc8>R zy6`IhSF70A`|pKU>mMq`%p}L%g&W;;s@4n{G1g)f2d-ScL>V!CjZ!qC!g}3mj4{vk zlYq27Q%ehtTZ-j4t+2nDo`j=Zdd>n*BI?`dH0g_Fd=@HiN%Ck6*F?Va3FjiR234~o zs*-cLYWDTv;i;aQd-T7pYN*591h)0`+4`JXYJd^n%bY3t%i2G?u*;1{2@5*100i`j zZ8a;E#W*CIYH0^B_9}MW?7$*5vuI5BnK0QJ8bf9{RwvyQ=CC_i6(NC}Guj6G`*89&!V942h`JyQ ze=py&@mN3-M(lpvO9Oj7SJ|15Lt9Fr87So#hi`ZU%dD2PF>Sdg#g zHVduE(-_TiJ63dF%RiPPi~N#N^<`t^7XiP%MipqF*$#vwYANF$7*aDGvd&>>k~J#g zSAFi5pUOJVp3E9?J%6KX(w$oBjxGOSR_skt90NgFPE)n;z40Cmy1a3TMs~YXVsaub z*>fCA6l7@_VMJk9g<>(3g`DpA@TaIKAiUDDc~ztX%8dd>C~uJny+tS4n}M1A7CkrH@TDB$X!%8V!H9bIy2W;BC? zFh@=dpDg+c(BBLJKB#g#!N>SU;(dVt{!u&$Ok&jvJ36&+`V>7$wcj0B@HiI<9dx{p zF<;WphF|odb)%vSE{T^y95B@K-MQ`~FVSH;)tVRsW*+M)ghd z+U`Jd3msKB@yyrYHuRc6Fuw>=T$IUIlpn_fU-)ksCq)DqRl>lKIlAv*Y;x3|*$I8p zs`Vu|@YoGLR}6cGf|TeW@hiO+L`cxi(UzBRy6K#nYJ5&-mHaDLgY%>Xj8SsBa3kh8 zGRe^+??kvm3K|7gS^oKng;q?z6}`~-7AC5@X7NBeH*S%?Ftg*pDjBZ|R$(f9X2*MBEOTeZ?m{UJt*a|ElDDDDOc%`MyRf%B(5HE&_cl z>s8nD7OJ`p1>~Fcm|GpnQ~65?m;D!9r@|vkoV+~^uA?#J)cG#l7*D-sQVVSvdwEei z(B)4rv$cNU&pQOSIQJ(!?N6RZj^gjkFk)e0OGjhVdLtNVJvwt6ie%#Xv!eZtbkwoS zumLNjGN{Qqcv2!UUImudEX5CkXc8lHamGlr*Z{}w%xMOy!dcwCWrtlZ8^!mNev?Ym z^A>C8gk}xF)^m-9)5Qz1siVRuSW8mZWpOrA(?3h1SGjBsvd*#XVS~*Jf;Oc=8}1$8 ztTAxs_^#GD%na8k_TFb;Yd-wkorZ zFfN+$R9WC?+;F`HN{TCX$z+XzxJx+*I7@bF`_x0&WRKpHmY-=G3i;UGY>$5;E#9$l z6Br$rz5Ld~46Aen8fnu?j998K=~wdRsNa^-w~Br#>vdSKO0S$@wGP%UX%VUuvm_>*=avFQ^fp=r`q z;4+hSnP%mLKuT>5p8V*tjWOMEGq`G^lZ$zM6!Zvwa^18vmj~+PxeFxed!>cI%Y)lnfw;$v0s@KKhQKlEWyCJpd z;{SF(Ip7S3I#vxy24O3$+11Pk%RF}&6#mf`rP43$eP`;T1RpyUHWSLI-7v)`i`25_ zFfVCYZE*@<7+AJ=X!_$euQ?`66{=O6rF=}HR4P^W6bO!X8x;H9y=4VU+filj8N{^; zE!V$T8kxMq47%rtH9fe~pCc(K+umH;@IzZTNKLh}Yc1&55|`<7&cP)Xk>!W3jr9xk z)N9c^+NcLa=AzoqWm`;EYQyG&#UzN~P%$<lO?>=$ZJ-txzjh@}p~B)SU@ciIZ!z3lpAlRnF<8*6eHk@~?esf7Gu#_)`Ky-)dm~<-Mmt!s=!mh^WtuIwp=&8(R zXia~&ha|I_@k+I2g+0Q5*(+UdDe|nZ#7wd z-Q=dk0PtoSV%Q=iMQ*OA0;zSZ-SvnEVVg23u6pFmyf){>Nlku#)VbcUVTJdF90^+p(PYz}oDqVi9mSnazSuk}JlUqnMKRhE+X*$^ zKO70hH*_8!a7cahe6oAJJ!y0J#O5n(W-$N`=~t#*0K2;uF?{ehstkXo$LmhV4mts@ zF89Z`pHsu@@apOKe_d1!EJJ}iw2P~ z-j`vVX$4kLV0Q802DX+~(~mPX+!_!+SRj6O&!0jE>?k@vc$zI@;f!>+1ym`g7iwd( z9pBNqDk(mL(9O5($vC@9UP1lguT&Z$;cmKUURhFpMzcCuZl(HdrpU%B+0VKA=aT!^ zAUlM9N80n=%IdDZTC>3^{wV8%R6Ra%U5HQoVO&rrhaj2w8n&{Ic7YAB9zgmh)f*{z zdvM@1SIk2If5aS`PbMz;me#Sl_~d&#J%jVzjGXD%Kj`Oyz=02vlp3cQ?LwP88 z>IK_P@q1(ECy-!37PivWl2|d1SKISC7J{A#&H^-`gSD|#PHBLQuh9#wkR4LKC!(Hvu>Gc(~`a-orV=(Nl zOnXjyZ~f^R*c_(*(ONf?KxAnwTfJ;JhdZd62yV@Br2oO zw+?K$pHT1ND1lJ?pymk^b+%zy7&7oqT6xySQ5NBj`+wuHwI%u47@`3I)HbpDL?PdJSg!LCVG^0~`>%FTxguOk{n+{`8L?@JHG!%tte^Qv! zb{Pa+MU$Z80-m!4NToqO|N0Ltv`due|Dc~fRI-UG3G*A_6FW>{RiY;n(X3gF%bKR; z)aln#Vl|FEHblY85ROKH$A+X(MA3@Dh4X&aPWl0U>p0-|-Qf2*BI@PYg^;vM*_24n znf{mdB=3P4Zuu=BLF9Ilcz*Z))+c3}p3>(2Z|aj8s0wa3JQLo!hF82GzZqeLrkf}y z3t0B&hpr0YoF0;nYyz%C=ml-sGGpmC#sI7rKVzQQ|9yRu&R$Ikc?&;#;QyEYq}dKR zuu_DV0=^JX5HA7p_RqD=<)+R0K zdKUbw{~oVR^{TC=Pk_BMh{Y;9`ruxRZR;uf!|SH4j@qy=68=mPg>g)RlgB*vIgN=C;h9J$xg&S z>S!fV!to-^P<4Sr7p6V#X|M{?IyllcS`IWUjsfy0dDaUH!mi_m-Qj7%a(Mb+_b-Kv zF10dCkNoAbcC`E+X#6|T+r%4K02kwg8T}&s$a(*=*%^*# zzG}!mV`g-$`7W-ITNBB3p3nE1QXT1A_5dwKDojWV^38MjvUjWrotN{v$-r0(iEkFi zb#Vd5)wmsDSo;t_)`E)@=!fSta2%PnqK4;ussRhZxn^}}5F;$pY^rQAME+Lr!yND8 zXPxy~dTV%$*ZHMe-FD>FnNgj5|9FR^P1)G~{K#~bmg<&|S_OtyemLv;U{6X0p8A3Z zHM?LMnq6_sx<7zC9ZD)gv#JLZ<@JFzfZU%@6V7qJor=>oCPVV2Z-K^{OZk9&$r>s{ z8S{r(5FJDJV_-!~(P4bHg29Ub&?D%N?o24ms?AoJ?ckZWHui%+`9dPcR!n-E&W7{T z8ys=Lml{D0K!t&{8?NE5cno6iyu7gRvNe@j5^Gvp=oi?e`VS97&>lgApS#PO+kFM{`~OpWD321GfkZbL{g1!fSs0?b zm11WBNj*TK?*UZ?&vlo))40QAbFou~>dubO6!V+vK+*dW(J;e^Ih~Eqk0!Y4TiD4G zmcYM{cOp3VJAt)E6`XmVS3Vi0s;DyQ#Mhs3rmj%A_))qN?8!c}uO(_M_#kcm`X~}I zM8>sFjatEeDzZNqaS8aa&MJ}N;;JG4RGDm+{<0nokX*X!gVvxKgh?JKhmkr%c;JPp zf)N*bn*jBK_kBhQ^y@VEI{wf+buWS=4}Cv)fz&d}&9CH?m?p)C%2rzYyn zb(9@80>qDi?3VL40ni|Y)R*lR*#ZzN1adYV8DrsHPc5BW#&@d}p10;n%rfHnuW`tq zOgj4;it1&wl%x~56kC*GcRTqwxKQom2K0}`;XKBN|4(Ga1-Gs-Cxt+Z;04EcrT7En zDK>}iFAqX1Hszh^y}>xr)jnGc7%RCke%^u(h7M$3HVj;eUpFw6F43x|#>G0LCp8~t zNgHz_TwW^HO&<#QN;YW#N!(x^2$GpTj>^Bt3ip=wsz6SXurM*wBS&c?0I>o(XohdP z!+a!QLs7a8ybe#dy$?3O}iN@ltSdC@TXQAS9QSwL~SwRT|r4Hn`njB&j@r2ml@|hhf zmKJEZOl|ETaMj#h9c42D9NUOsK8diLmx2&;zj6gBo?=`$s3n(}_kw!#OXu*-DinuG zxpKdhNStjmvBl}vE^9YEPi zesd)AbWo;i>lm;bwi9&&up92TD&|dY6RVz_x+64Oh*x7yLSQ9fu-U} zA)wMRAI0S4UVfj%9)gWA*81)i4;rxolCsUAsC?9V`&&^-t>uwoNZiEU0O!Yz0!Q86 z4?7ifQ)7FTq;_;>qjyJj^%!EtlOgj8z`|s*bI_&Yeg{*FG3#gXm_t@4XW@2Wz3Z8@ z?dUsX_0Q?;oOl20Qyp&ZMfmy~v}!t#(a*kVx_!Fe+tn4^5bj-s4mr!e<#I%?_(n=t zwh*p=j$)>OqgctkPQJ{3Rrl7zROR=5QIh&`i_HE^qQ`S~_LR^YXb@C8`KuF~w~v!s zjk7m5f+AHKXmeU1|4^zMt7Fo|RN)Bura^>=zC6XRC!thZW&zTu0PvW#7l6VQ04QYU zBJf#!4MY9wDA`QFU9z1ZVmo(tI3qan5^kKK2T*PvM3U2UfU>l~lnCKCda-3wd*f$I z-$tlXSB0pn|668r1^0MN7f05GNb<+d{G62Vna->~faUC*ys{giv zaj0zp-A^~>HXmPaZc!hae{=zP#y12%LJRiB_NE7U450A*nmC*4!T1s`=QH10qB;+) zq|0=V3WlmQLl!EscaS1xAhoiE{;7!?K8Zc4;$nWwR&zYc>3iIlH0+32zb*kLEhC^c>#8rpOHR@INzYEacUJ&S4sIDmoByk+$x?_l#XUGFNH zJ&X*RTAB84HqcbTvC+E9=tNp`y(+*?hd{>oT&d|f$hh^JYCWs-cZBH`oe*jIW#-HR z3fbEZRsA+6i0DbHZVmUI`(bJ5J-c)LkV!yBs4Zucaht=;b?|c;UyKKO#efc$H2Vnq zgR;Fryu#6LU0v{Y8p>#H;i<)L^bYmgILq%%JZ1o9IKE0WiCglI#4nOLyFq;hn27|V z=LB;Uyk4}DI&?XLVv`F2E%?qv!k~?COjiDg_?-^l95HIFYNjc!G~=o-sg|R9*mWe^ z6qCQix^c9uV9_swfXkNBR?7KMe8QBSrVwuhIrLxNbN{u-j(lFgK8k>w{iKt|hqLg; zoxfguLR1QMj25$T;$BBtEzM5GxK&yZAn|0$|LrAI3QDY)MUEl%Fae_9LJRJhpGB9QN31wfXA^F2cN^wKq^3@`>?l7f|cEk&MAS zz{{iUL-TOt;M{5>&u)~4)o=SbD7E?JSr@iT=Ak;YA=>Tb{7jPU`Qr^2RQ zc2XZpdLQQ%u)i*F8=g~>xQ%PEfm!rM+;>z36|f0JJhg39s||#{P897!Hz+*>dKfH= zZSb&=;14g!zcK%13oZ-mLu~v@dbPOIGE?g)`1v*~HVtod;_6)CQ9#2*DRJxuaM)3p zgTShl@n4b66^sY=VjB(=hHOyqQq(Dtjf=HJ2X`bPY{S)&{mlT7z^~a>&V#n9K!O8q z^MZ>Hawlv}O^1vBPSm-fhY%@W#gW=^V9Dm<{?!EX7dR&wM-+m=mW2xe76rXYp!60G zKfiadJ*Cyk0TX+)C%hDTM>7zIbFyQZu+EiUV*0C(B$y9lqS8_0@2F(XM(KGdO0Pij zpZ)Z}s4v5&wVyz_SI*BuhRa-v-K6;BEbS+`zcX%;WMGi4Dqb@cH#zpR{P+F=?UPv+ za(Xj=rGRu=^+!J-DPXu|d+I+6AHQ3<8j@f2Q=qwnjNRQaen6)qta8>tv5UvNGP%*y zwj?*6o9jas2yEzuuv5dKOZJf2jg3||5XV(fN9-38=rW`ClG~wRY5~a9fp@bi=nbOq zh}b))ullHb2JJ$t2z z9(+4V4{TFYu3H82G){Wic~2#^kD0Sjp~&3F%ErEv8O-87q|G`=am=nrM*xFR>6mSt zu&0cJ(M?UCA0d%L&?`vp3@rEyq=yfHt0V{|rXl1{hNA7akK4TuQSWG;A;%0m!y?XI zjhy?0XSqke->;+e;1YgiyJ3>9H3NDhjfHNz&-v3>ZO=PX)FG10yA^gR^ry{klE|7f zk`5uU|K(A%P%-4YJ0f6YpxM61c{2bhHsG9`BjN`CCLg9^`nN4*)Lq4703&oENLQef zvp1fXc_wfwS=mSAv@ZQerfHZ;As&OSz^cN=ASH1;)dCP|RK>=Qo!`%7;@<@?^f5iW zgd$dlQ&#W~1q@WaT!qW%1@>YaQebGsym|vPDTUfdlNoWuCC5OJo^~D#88Khna3Q^2 z;+4RN_gILYe&=vH87ij=9lYPzdff&jymr{k?aE1MX8{|q)Rxi8={AN9mg>S^xiOOi z`4hre(YIqA5-Kx;K<15c=?BV2|IV2C(gwpZe0=U+ZuJ&amN!n8!bI1*aP=WNyyxZ% zzbF`jd_x5!8()NoKkYa_ez3}J?Rfa?IRC8#ybr#W2U?D_S6SZXuS*4OMhPdZx5c4SyYffZz2AC?zz8*#el@ysX9qcfgH%%g?&!$Ovt5v0s}gewdMwe%sw z`Z8Z2bVrKbcY_@bX{b{Znzf%?1l{QyDP5fY+2fv;RO4A|w)_U6;e z@>9G0{FRXU)`2xBl9B{k>mXo`fZ4~LdOMa;$g%&)Zfv9?ZZ;{<%kG9|Qqkz)XuF6p z&*r#?s9IkYcb){a`2{?;`Oj{(;Oq_K&uy@ee&NlYuE*UxZx|C@KyqK8p;w?6T7Ce7 z&LpE}EfcVNG)3JtAuLzgZZ$D{hWvpkeHM@B+fBQ)ZQ36=@g5m|5+VX;M}Y&7OG(Ce zyH(0$Z9Sf*3eXF@6zdF98UO8%SIch~>E=aA-JiiJKngxe=S8j&XIe_<%{y93nc)_m z?`7Ibt~si7av_%#$@VReH^t)mTinIXBe!&&NO-_S9x0w^iCdbkXMXu3k}!WQWEVC_ zTvH78NH7d`ZkqeI;e9Nv1s%PIVJrFKB@Zd9Pqf1App*9lX8ur(26J1RAx;PbAA3&u z*DN({1TCRoj6>lUK|yQ$2`HBSLfL$THR~5W`2umOG%t(NoB^Ia%Ew`Ya*oW;bzCe1 zj>2X=p@dEIYCNfEhte3CyZC2Ezn_1W z_ewgV>5DUp*hn-<6@OLS@tgnlpUo>RnB;m!0bujWXI4(QCS9Eg;-sIGt7f=A9Z4oe ze4tePZt+rcH2o3ReN!idRVKIS4*~N+A+?CFswiH_q6f3%+5LU%Yb(s|NJJ+7PfKH_ z`jer#$~`|QoAJO~ zANs^o}iiSB0E;a@t} zvb!t=&)Qt=4;VCjY`+C(0T6z`{%#IoQVcCqyH%Cp*^*q=@mn%@c8bvTBc`kxAqj#>BAHBbo)8jKLk1t@vQ5)ue;UZ-&6mSYHLx?;5 zX~~CE+&dUUS}#dp#vGx83DOeMkox!P(v0z2ML$*}K{>#r+P}nKqaFU-xd&yPfib6s zqMSMQ6-)-OU^M5)eNckn z&55uh`9X)&y!h9MfEK^U5e`93BcEmE?!QNj@t9p+{*w{wbJ48jM}kFX(->%!l+bDkt-b8Yb+UGORj$MW<}F82c#+QmeK zCd{s?zDxY(nq#?KMv8n10jyERMSpx1sy`@2?NfS?uDNKLrh%wd z6rf-CdWGL~M_OI)u4*JN4HNEWby8P4RItFvy>l7ZV}q#CSS)1^7K`*q3(9^tll^j) z$$AmuhSJT6gNHEB3mR;)z9cdxlmz=D`eL`NyNg}^yN{yOk_W7mje0RT@SurB_pAWA zf{-dk(VNb#oIapXj`3bjtiFHulK5w)^U)Xc2oumKT{gw3hTDYh;<~!v_;@8|S zoY%N!FkxOUo`k>QKB&j#_FSbBNEHO|oqn#qK6Y{`lwgJH?o>tUKgvX&NW$`SyVXpZ z8}A`0`h8A*Z`nyO;tEUM=yJs4G9|zql?NJH6!fP0AWcM=XugbsabW{%u(pDrzuGR3 ztr*8WFOdPEanl6o+?~A1ucloEnXUc=e93Gw&36{b48(XgG zE(+?=l$#?AJYz@&uaIbDpaK4*x%W*fcy^KL?7=wY*b5){A$X6;@nFu}~X8o~dNd?10LpnyruXs06jPq|jB@r3B_{}!G?Dn~^C|+*i3p6bphMT$Q zo)3aRQjr;Uxob#YyE67)U^_X55n#Ln3X2UfM#*ytbm5M%WB!!fi?6$dbS5na8stKl zqbm5i%8+`iTilbH?-L+dq83D$Hi}_j{cLGVVk^J}WiUc#TgmFb3Alkd7C{su{P0MC zEfJR{=XGhckaQki#`D16YF_E2-jI0qqbz#|%4*(NknIqX0|{KhXPqNLxD6>;akLqB zATH~S;~$X;B3D0^ZF%9gl5eGB@ykbdDV|p)h4KZOMQmY9I6WUMJA_a&BWP z`?ct%4qkV$qbcN|r5txlE4qfy9yE>!(iH*^FW)AD0d z&6#jis$S@-0yb8tVP%v(m^0FCf-tIVo-`!=(v`kYqL;Pb2aRnF9(;SC%+)FNJ9g&Y3Nc()*(T zfWnnp0HE;VWf73!O2ME1PZ{or_r1?UmYG*Xm+*9U>cP+HOqrHm&wz;i__%#Z&nx?6 zLa$CKx=M&8rpqSBz~jX&{nxd$utUDE0jQ^PCg$ff>vazZT~!M^5F8(uRlz4aXs833 zCPiJLw#nN9V)LgmxEu%Z(eFF)(a5>HgcD&+)lJUYT;1cc9|1C}4am?`nzPlh&y9|x zXxld=nt$BlG!B&y>Lo*@Y>@TRda+BxlZ;vsG-652i8;h#Z~%^8~_d#jvygLP2}Y;GcbbNOZA zs9Y`47VsJb{%jfJOeq_<7V_*44xvslc^<4>(7FR^$@zl&EIx_Sgnn5EAe`}8^CPIs zXDm!I#ENG&g$*j=8J>Oedvl!Jhc`<9!`{)rXocV%bSGd;MWpQ|k z@+Q~MC_%YKD0?iq?((SI+T6H^$R4~~ku7t%fH0$*lhsUPfZ;tC4lhv1#{q;i*3qzB z@Pf~n#7pBPJnvgJV|tqLQ=c&zk-`z>j#5D=@8 zWU`ZDtqf7Q3A8R@JMZVrPLm9joHy=7T*+WZ-|6H%xC`L*n#Yku3w42!AWZcA6P6aK zogjLCawFg*UE%ej5;y5}47o6atk6rbpX^LuQlMUeWl_HYeKo9zj5$%p+2-yl+4G*=*}u-ykV*@;h%L91 zr;Rf1ex`Zf6m8u2BL@{j4Rgs=oU{^8Pr+NbevWV*14DH}Ts+GvhD@O|Hmfp(LidT=8`E{Lu(O+xbPP^}HGq?CSf5n^Y#P(S{m} z!hagc`5xHHOG+YPlMO;TV+oX^XT5zO$L#kApEJ`RvfLntp?u-hp96GTgFomqsT4u1 z5GWyZ@;N6fNRh_x^+cMLEMSs>eIkx-Cr92@JI*pphw?&<^moSCvP7{#T=eq-F)>>E zWm(SToknaF#nlu^keShgH_c8?aA4tR2rnovX!+u}AH>wxHjk;p zWNE4tpLV}4Q7~h{7_<-k#xnd4(YleyNPV;U9JFU$5h=a)RgQ4RC$2EpQt7=1#WhRe(|&V2If>Q9$BJ`W6zAb!xJf8%7v3cH?o!}%tKfkQn2CxmnFcE~ zvXh4kC9X|^W}@L+Cd?9J9FTz8RzwRDZw`?YiM|7{}GRFrDW5zLP zaY2*JPi8NfUe>8@tE(nAz-zD1qg|>3ULr%%D!>2%tSDT<-AqJ?uzdyxYr zC0@7DTCKwp+@u%tr^t0#QBg7uj}>qU#Ao8F*&foJ(p8}utfh9f2ABn=g_V5fMU7;a*{~;8xHmH(Fk>tDe%aH!i=8VZtLDv#$y?r9ti{wl-d|*aHA&blEKdKZYY9`x z@K3;G$d72!d3gqenn?6uf6vD6qk!9(eq!s0&}izY@&>^u@Ex{E=cvEZIN6)M8}P)B z=4yz(#|vNsbO8EZ0r7{HqPyAJ^#n%qGu!uSDF#5Y+x_QH=*?+yckxLaU4Lr> zf9jpG{FLo?}thK>c%(~ig2hj2TdD-l6$q!$U zGYjL5o&0Me{Cvh$EpYHLhH*JIq1?`5$iT#|C)?(esY{6;e~+|^)6*O?n>IrnGpB}E z4K`ppG6r%*W^pW7*24rNd8~SKhdd*(X&pD5&sv3KN5ion&`MhI^Hbyx=q!lp7Kx|O^5X*)V$Nwad&I??08trA~oCAUV=o!L$8Hcw6*3E`K_4E@n;@4>Ho zrqqLF+We_eCAPd@P7Ly_K#uJ6q%Eg|SZHl#nIT5}l}{^xBvMe_e?hsFhE25)d4098 zT;a4#X-T?0o+>e`*}}DJMOrv?@vREQkuPxFMrFS4kO%Khf5)eKn_e+--giS9n~%zf z5)p=wUfV6~=6bgfpKjQ$`?y>^$-v{=Efqe#(m`>t#uo z+-sbnU3jz*u`A}n_9~n=gqpWMkmrCP6{smUS9z{1G0ZX#midzb!h|V9U&;z@X*&GX z+`I*6$<`eH{8zAWRYdGmq!MQZ8$DIg#>r_)g#9K1}!Y_-=P3i0W(2ROM^-24w*><`l zo$y0J0bs1kO~VRnu4x)0(4p%$>2%(;gLl_0cZ2C@ylck=)y6!G_SlZ&lhD0Bcri=% z%7!B+i;BFsUpE?sZ*v zSt)u{SY( z15S{3!X5E#i?}OLI{xq@%_X6*E&~4+JqVMcxVRIaH_dBku7*)|fizDYav7F`5mUJ4CA5(Sg0+(aItBCT8QVSVX2) zoYwoGBS?FI+W#pOfz*D+;*f;^gl@82@D6|D4miH2+jxxiKoHi|41w>pZ{`HRMb>Ak z-QvK{h{e2Nah>@?p%9^p6HsymPQ?WMbaWn%0~1HdWZC75?YI1u(yiog!?>r}#PW9{ zbsFRkVWjPMao>D66VZaiI1AR6HfQ&R#CYZDVx?fck*7 zQNiOtM2K&?)_8CqTlu`|^)Q22C2}#%%J7Km>`c=;ugmnfHCK?HgXm>@o);6o%4A)@ z8&rOGw)65(nMie{jH4Tv0*pT2h#Nv9s6Zi%tzNSy{7lK?tm@2gn+6-_$i zWBQV}g!P^R12{haOtRldAHr902w@52YTeHl^Gn0&J`(;{g|N>1(5hAMw!wqnTSUd{A8j zxfC?&$CSPQDJaEP)FxP^>O%}1J$jLny*B@R%YI;@v!RePmk4;&=9#P#TqXa;0pI7uatlpcky4|0EA8>Ni2&xW|0L zrssU72Hcf=6p|f-DE@TUk}l2y2a+p=%73vr)T`LVtjyW!JDX&i}xDgx+B{ey2+c8mbww;UB}#_ z?_*>A&c)&JKZ;f^9soaceWd5RwRXTrL%IE_c9!;lEE#T3>5sorBHla)jOYh?QobB% z9gkDUMgm7KQnQog(+q9Cv^rsBs-2eM$zH8X4pH3ib4~9$c%>TF4LZ+M0VxR8T9qMg}510Y{#Di1LaaD43JFn zn8zd(9EF76@vIUo{4VG@Q}PWh5U1(ckoVkJVwIa}uViplRhMKTCuL_PCj}@M#YbN` zG%KX@W@-eZR&X5t`O^>u_|rf*>=}teYemy0S%KzSu`FH!ik1_{@XW6^O=oa;Xog~5 zi%z>D95{$8s%k}8*GE)lP`Rv!E@|rbg7k`Sq!)q35Lva9v|X1V#LzWZv;F47YM57-RiB zdBo^y{OGL6r(v<^;q4`t71Q0jxXb7}Xb@K25u`8(0lsKbYa84($R?qF$HY>>gK|_;heyC6kKS?dLdzfdsCJzttX^p9a=db+`08#@^I- z9xD3{GR;2MVxMk-d*RA17?=8tb1Es=|{U7PT#@0oNsBH9K zaf9g=d?j@X)Kg8e)f41H6T=vl1)WM85k&E%ux_AT@IjVnZ5eMge)vEEcRDxa{JE+`>{lhhNd9F=5*EApy0UR2V-4YZpmy+QGgwwA!#JXE|#XTN~! z_<$f$SW$nudRNFV&To|=XY+n>2Y`;VPq9@52&9F3IG+n|@wOyNl+|?%ZNw0_^ONyg zX<$y0=?4O8?3}rs9~e(*1}=9FfR7$TXgpn5=-48uTi&k?@0!^5Os8x4UsW_?kDR(@ z=Jt^z=C8poJ4&jgOwmKGm;adhLqHo&a2G@$kcOOzrN?Q9c^hXrP67e40O^h( zO>Z~#NLz_A%7v#x@UgcJKUsjjr#CYTB)?j_At$;`+*_6Ul&tfWu9G*=eIh2N;y~1Y zbr*CK4F5DXY zn%0BY=-d9Bb|rl8+U-?z{j;>cX+KBW@K35d;U)5B-`PHq0s#ixk=>xFy4yG|8B-5i zhZJYs(=Ao?#+3aGonkeRM$_mWCnxV5lUG%ooanXILiMy2LU%L?WB^k-a#&2J%_};9E=x|4~3N_4LEi`W&TZ4lW?Pz z;Fz~t9?VihbDBToE7{RkBReu1!Fei$bhz}Xqq4hB^MuC9-r5wLU7Le5?MIXhS}uZZfQ`(@y^Ep ztV!N5QI2*Qf}ZW!83CnVI(tg_Hl$LmrT&CDAY9V@0o;lH@=J&)FysP!3=T%#O zrE?X3{HpShWO+}~#}!NDEdHTSTlar3^-k@THQ=^woT}KiZC6;aQAsMcZQHhO+h)bK zZQC=MC*RupS^NBfaWQYknEma&HSckgzx)--Dv-Ym=Rj+mLOf6V?gntfx|@C}-kA)o z@8)eKK({#S1%Yt$OcLhL)42*oW(5TOUNb9MN~rve>qnUWZ|BYgzQ@^tG;N@kN}oFT zyu3sKeMxqKL<{s>LO_NmrU6;Y2jRSd{@Xx{rWONNO)mpK=fakuBiGh1l4rVLYS{^Er7B8e>8kI~S$|bzR&3>})uq&uGx+{w zqByBkJ)BZ=o|}%|nlu$s-q+G;kUFHT4mOxES9UpdKezce1YA>B20Gf<7w5P`d<_n^ z@sySY4c7WW38!-njRanLn@O-KxDwd`#ce*|T7^&3W?twoag`Tpi4S%*aZvNdZk389 z(@+O2%Pp{iF7%!|d{saL2WPOYjB+iv+*i)Wm9C4Vp36qIr|$WFD1k(xxHZM1zwF~+w@+?biGT!#XQ<{Uk??2i>wSw>H0rh z1L4@l$N79YRqbHZ6>J%&7AjJMNuz|f{|ckQ!no+QR>3gC4{j+jg7-M}kRS9hRKT&h z!z(Tkcqfiwt*Tnp{!POF0I_2}{p0{JCam$utp65Tp6^Rt+y=X0{-jVbSZrPm_}&<2 z!W5im$eOocE|#l#1YbAAXH_BJ5-s7rL}C8NTUjdX^Ml}?Aw!j*LOFfqF1C1bl!~kU3#ZyFr}2EanaO)6W4GMDEriW*aEp zmy|Sw>{G{%6YXz`QMyw9jWHe+E8BsdP9v_E3l4%fAnlxUw5ftbc`25`599#ML7*isF{qeATRv!u@goop)D=Q0Dq-uOs25!f5_8jcFx2y3q6IIoemLJxE7 zEZLo>`FZMaN^FGYs~z0cex|_*%ZU@69G-3V?5n{^M$lg|{pNw3&-B@G z(?iU7R|R5TjswPTUbMo$28`t97z&t4i4nju3#>ZfIo_13 ztI9)qH=SA-*`Fqe15Ha_b6B1Fw&vjlYq!pa4RM1c2$6lp{R`eafLC%gieYZje&w1k z+@x9)m|L394D7jL^xnx#)wO}E%6`|=!HlB@1%40=JLZ-Q>QtH-nl#$@+Xt6#Zprbt zLkaAFvAVBK_lw`95?l4B><$ms#UdY3r;X$n4L41`Uq^NnUtMsu(Z!lc4FSP^7*l+W z82nwdl-Q0>)Ikg&>2k;w9X1%iy_deo%Ruut>JbBBsfN>j4OL4fDKfl+k#6EMHvF91 zGvIEr9kAAVukpt-?X<3P(&q#YFaIPR`3QN2R$ex%*StW|ieohWHN{Y~gckbK#;x`p zyxg>3>N0uGDbPz;7oC!W`iP5>*3zL6`wsW;Cx1ZgDdPf&bBJ}j#lv%lcUx5}K{tpXnDNnB@YP4Qr%I$t_ioE>^P>(Kk#7 z*mI4Y{M-iFguimlmn9Ph!mh4yLfS)#=r<9Q7O$U_t0%xz1Bl7D-l=Q?-Wg-RlGmyg2s%udT}&dGK zj;{{EdW^*hc=^GX(2-Lu7<1@NPBydLVqkW(mS7@A4F>m)vncg#ZRIkZ=y~F_)srEe zg7Goi8Z-D9plwC4waRg?o8UfGw&My=D$JZo1y$XZr% zF0>Oi!v>iHL2^zD7;Ek&V*f3oRoGg~7PjpdM;Ld&#&d?uka^SG{@`fg-?GC7aud{C zua>3C;JDuu-nMMi;UAiCV1Y>2Lsz7|{AVXT#37Y#r8Rc(d8}iMg5l%=q)^LZqk}^gH+UR!IPhbq)U4cQ z)c-ICaJLVkuOY2ofU4B^Or&U^ZeZ1??e3`J%n){A4x^!8G5c^Y{oMQQphKW`79R5`bI%&ux?|LWCa>=LZyh=8JZM2Tzf~oiY({Caw3ukpAl5h9ML^|UFPf;+4|MJ@J z92==Nt-UF!z#)_zh%5&OTE6~M>LB|rv`3VB9i)C)J-a86JCtZ4+tNI~=R_nVe|CmG8J7NiONyH4l4SV7TP8lHh2A zDo&xGF&p}-(mVRWpTpRuBgs+Ki-Be($dRvn(#*-d3~#trfMy5>05rxEp_rovuersE z3d7S9=+_T|rji#rp3{s_;V4Vz#45xv>PwBQnVtz`to}ok>T+$`DDCyd(!1u4!uW4M zU$=fd9&L)Y$49%0+hJ%RPdMB{nFySr?g|PUpOj?C*Ixqoli7gwmziT8Ww0XXB6W8Q zQMB-WAx#i1OAeH)VA&2AxPv@ zP&=frcYvkeXGDD0fcfO5YPn@4q62GH6`!hgNAw&+DbDc8hr*A*eZ}JjR0`doLYZW{ zf(b$;XL?RaT)a13tXT;{RI;AekHnE!=)#t)FtJt+SkKN1Q!h_$^2tVoNQVpwi@mSg z%n9H?fNl{`fh19Tl_aF&mYQYVO!)R zG&M%QQ%XS;UxjmQ6BS5pEClNoEsZQCe?edQ-0|WQCOleV1dU?3-vR(49ns(>|KbHm ze_yW$m9s^G*O+#2R*~jx$k7bd?kyeZ?5PhFBwszTANLJfInNeYwn zczyl$U>w#S1q%`uvIsx?NzQ1qPu#ULM>j^m(+Y8tvb%}$C1vyTFGld6Dn|q}Lt7=b zPR9ZcD=+za`l$W7>cJL-jj!OkYDLa`pc!Uqknhq{Vop#^?C&#@f6~Q!|A zK7Nd|xLP-eT?mN>yYFLqMaLPIl4fVADYl(YAHp{ty_LeaO>lCZn&ARu;pImss_IP- z9-FTV6I?wO8NGJ9xo*1TuZj?i^W{-ACc`=&xKl|UR^$~`y07uM5Uf&_lSh`!rh`co zXcjm#nv#F?*93%4rlz`F4W2OL99)3CC0o5mub#8cRhDljVrh1wS(xWj5X5w9lS3}g zZS3g?Fj{42ac%n+M0yWPusO@sh{=1HZq15>kWHc13)%RI|2b zk~w*}`hPqRv1G&apmg&oeE6?}{ol6sd>2hJ+mwMwK*{bNDY2$gPec$p9l67ZBz{PD zQO4&UN!xQ_4W)Hl?T{9sVF@jjAe(EZAcOX4vP^%-)Nh^UFdk}^1*G*z$4?{cbNlsR zBP?j6suOwN88l74Py@C1`OHxLOOhXk(Li4UN?CVbnJg@oWKAadySQC2tQajzq}P%YL)_IV2z43G$y%*& zr_Y$OUOIJQ+H8^6kY<2Le*RGbp9z5$rNBEOUTZXY1k#~m_(gpy>@Kt~hvCr4zid1| z4wmp>(P(0S-5`?>c>V~CF?qcR3$#UhTZ=TE$>9gsEOds!$R0S$&FThq7C4GFTz8_s zsZHa;!leY}8^N!d^u6?D97Nfp0FGyLYc20ZG*S_Ts|G#L=d$%{ePE~SPT)MRu4p+f zuS8(A^UyXFMQxX^Y!Xt}(8#rmabJZW(?$omrEaQ!S>7lf7DI|OpLmB53pnod7)*hl zr0xB0S^JR@M)scB8|xQXoISMas}auKt57YXnrSqvi7a!p&}thNxK4vVnT) z&Y zUxss_+8q58-b5#?#Fp(+S|AUw;1qqyt3%9O@2>FjV2==oaBzKXoSfMUpq%+J;0c!j z=>j8|Iw@445=CHcb-}&WB?+{%dh~iXpI;+^JHCV@-+#J9FomLApbbDkjVv?4Ma-l#f0@ zd{ouo%Jv(0slDQ}Q!n(8RqNeoy|+P&e{$1#dxC|i0{u^X> z9Y(*kumliNe7qeXe&+79nJkQ(a;jcu8+OI<3QYho5a`nG7z#C8epDa3!Ck#In!fga z2zUY2fV!_M-){up*S*Y7(;a~w-}lcK`MsTQWbUUv@a-F!OMlfq>$hhTe&P-O(HUg9 zx>|ejQrnaqhcs59?`G$awr^-KAxIRBS*AELfr1Q!{mnib3KH?-uL<}Ow+GtCtdsR4 z$TbWPOmPJoR=|*ofD~p-+5`qKsPT`UJm^o0Ei$ma7R>8s#W}wf?18NkRZi#`4up9kKWwp3GUGc_Bse3e_@%c89S#>(YlFtmf zS`!Ad4$Uy?N}O0uMA%=VH8g_m=N*Fnp(vXlbXqzrlHq>@*17y{^) zP)k*z`H3LpHRj33RoFcy3V(Re18zZ>4{Bx*W~lJ@{jqX$THn|p(E~eODuGRoHtB?7oL0PbGK>@a~iZJEL2uT8)s~cO|}}lqr9Zb8VrP5 z)|@7%LiyL^oWs7@{vQ{;kwMaj{ON=l10(d=w5ZPO%6Ui1m8dtCs_c1CIUWayPT=}R zi%Fr9dmR|r_gqkw0hVHUM+JLwbvZB)-&ss%Z2+9p*C|baOyw#cmL-Xg{;3nJ$X%1( ze3F6)cJwLb4MeCJa^X{Q&Q5n)UA%l$w5Ox#hp?ZWX#(cDzF~NiO(QXikIfCH%aw}M zq;^gy&JOSB1@j*I_{2E;`M?oTtEtm;ahlq=aG>x5{9yLUDY+d1)bwDVI~E|A7mh9g z`V!#=2H~VO*fZF>Z%;SW7ys*XVpn$oLN!|ydupCKjT-_y;7po#c=v{94T}}p!hf$^ z=T*Z@nEhp!kI$Qp_(+}Dw|5BzEDo4M^vBETyC^QKrC#LF^p1gB!5Rur_3+v!_U7%~RuLXUQ4m zuM$XxrdbY@vWy?7hgfp+-Ze25#dF(bCmR}8y8EHxy6AFhlWv+b$Is8$!>^mF^_dE) zep8Os7VpoD?~-@W0XeOO59>mH5d}mp2cdg$TA*yHG8yUjc(eHaKsRT*OYexpN+uJ# z`m?!Z58cJqC`>+)G5LU2r8VU@cgdHoYm+$i);gHZrtCM$D|f6Xlbq6~#JZL3S7+9g zntJz%s^SZQpbv@L`lrOsMV$K*b4hnrDY=Z=0l}b#Q;TD%e9Q=XPks>4rE$0O;0f9s zxNlQ^HHuY_9qLAx@0{XLS%cH`xR#SCe!T-yolF!;QNs@uddlOqpGe^_DTe2{e@yVd zRrPIHj@MPSh2ZH+mHt(w)0(_iOg|aFf=6fd2R zj^&~CX7VHW|1s9bl@`Mv?g0rBa!k11oOmDr9EXK)?f)i8szvgs zs78@L9#yeginYaIn>G8OF+DQY-R&31SrvF>-M8hbEytYEUnPB4oquXp5|mb<&K_WC)u*S{Q< z>HcUsS0<>Xy5qxgle%BMGO5zwWUlXHyn*K6y(xrWQ_e)>YWWGVdS-}i`kHRSzbEW9 z9JkHyJzpIae1RkcIlXB^(MB4@8ArjUKBbYdo<2ONnr~$SwImxI9U@^|Lhkj|Zt(VL zCH4am@)Nz?Y;Q?nG`B9+hob2g+nufAlYS6eW<-aAAKlQW-||Q53ReczEJ-yeiZN47 z@R2<|j;)FPV=o-yn@HbFLejL4E2HvR8&*zi`JWrGG=nIcN$y%Wq53CmL4=k?f;B6zfMS}*k+10 zOQs5ccw;i3J`t`Nc=O`w|JsIqcD;Gf?+MUP#(FG{tdp7oWzm^wkRIcPglzv}b?9sG zoEol=*23czfqh}rmciL?OuFpo#;T_OC|M0}qJe^N*Bsn}@gpEs(uWwN>rem3bA?_e5lkNeSBSR=dSbjTE1I7+RZ z)!^nK(KbWuAH-J=)zW|CPIBy{oc6WcIg;gcD(cknxW-}2iKSORdJ1}Fm|4q4cqrYs zie{*=?L-KK^=r=PvDco{Nz)JO;e?hOoDajI=J%7j1@*M(SrIILVNnLFX(|_Y_A}hk z99*iqo;Az_QSwV8THaxpKXToZQ!5VMC^G&Rv!-VZA1B=fb{{cv7wddvZXSrY{L=}15?Y*7AEW?Nl$8v zQZgIaFB>(!vGj4~jDvL%PwE7X0XI3(4FBWSRG%=4Tto8oT`ZdLU)v^~?2qs`tZzMi zV)E=twq~j4WF)PB7d34XHuMvEuGe0p%NHdhFNId)M_n;i9N5N(bF74*{OQiCv!=kx zwqnncQnW(%)!hy!S}(N+XHXe(ilCJvoK*?4&nprCsvygHvtD53YK9e~GJ9_K+DL z&wq)lGX5qzEI6HomL1iCv~JY@=<00_;T%xmy#RZM@H4kTt-FN(F%~4u{$nhV<~)fk zr4=W1?hk>1T4(8D8}zHJN3bf4sRSe^eqOO=X1PqiX_CY>2 z^vOk71oqFs6v1G6RWYVv_SjIWL)&pNlYr5yBPVm9Ge8QWBXIE@iMvG9RN)E-@T}pX zTSF(xlzrZX#?>%IihQT7=TJ%Z26@+udDg`~O%_w~v26W$6kANa1DXECnMuy85}|Ap z9Zo;vrv4{wRr*d_QDbpX)zh};zE$-e|EcP2`-IUN2aebNQ`OrZkPnN#x@g!%*PS-O+HrP)XPBRv>li6utin8@Vt_#=#IN;am zx=Cd&ALI-(3zq0qT>cX)DFw(07j_W^;&>#nzEPVp2iM-U&#=&FGQ= z4d|z#T6d;*Jj4P{c_jADKvN?bVBeL7BtzseO>Vb;=j#3Vi-_>-LbiyZ*s&9ULzRn| zSpc+2V(b+h4qJ96D64&Dorcy(jW_#4hy4&$hKC|ITy&qWc(iBl*7H?{CVUG_wMTMx z-$HELH(?@C_WpzjMbdHRO^y|}B~?{dGuhUQn*Z{X&;6gIHF}T~)9HVb)?pU$+5eK( z0DXb_ag~7NcIh4!>q~lv)B!cYpX5p4oD5ZGAx;G7B#plQR3AT?)k!mrJ88USx=k0Xl= z$;B~lS}qKM2JPdrRJg7D!w>OK?Zfj0J9idtldMk`qa4W_X=A^BkhvD6$%rccd?3~< zu6-YhV&qR6mSP zHh|`6hy@&?r@~kC5gsAgmvl8id520rPpoz2AdYQ2h>Q$oFGF)NuWyI3EkoUa>m5=b zcEyU_@_Wqa)f*~15-lKmZmT!ZZPT*=@A8%3fSc@N(Kg2JTQcIerka>sG?}&(to=Il zog-Dai1qL)=U2~TZr}LwzJ9(C&j-$lW7K#hfuG#^?n@Yun#;c)Aii<|e-Xm?fl_+f ze++ya$}=9kMtpe;0_jaB1bFUh!GU6W)Yj}cC3{w6t-9tDN5ttoZsE`0kb{`x1UvT7 zUup)2^K)-BaP=E~xc&E`oa-nL%v_4Y{$iB;TLX%6O2Dhn8JZARq0H3i#qI4hTUyfB ze2e#3fk$7TgY}iI@mBLF?#yznDYt9J!B>o_U;o8PE4c^EO(!!sd%$bp?Wf_V?_KW4 z%uB9!04uU@wG9xBOXe?k+07lF#PITmO_^fYF|#`lNCE(4;s514 zV3V03v6_i9gfjMhqr7ST{;7hRzzPC$d`m!+fy8u|HrbiCuGzaw)w$q>5*VF-HPkD+ zAet8-VD*e+_Jp!vz$vIrETK|EJiC!m~*yP_F3`oHEqi* zhhw2cqc;A+<9g=r{4fGm5Q!69Q`>KAvRPW_DOI0*H*{&!N z)Rzp_>lzo&8ZB+WA|6Bi+;bLZJnkoKx7g!;x(6uM%~_*%v{hfC)->Q4ZWtqs>)S6i zoF9mh8E{$t#eABYFh{jRC!{thtQj6r{o4zH}|~`=rIM@>x@J}di4Tl z@}W6S(Y-xr3VX3~7f_fW(@@U8)(JsFerA$kp1BT*vc4`vo>N$GC;)6u;X}31upD;I`RW_PV!ROf|?rtarWD#&UYm^<_n_Oc$`3i0P31Mz9er8#yhEws(B-*_{`zYGnwaun&GVRHOi(*N z5z|bcA9;rDtaZ=ZzAqFOkDN^XfB=GWn!oe394l)gzFSbcph;-AT@|B0>q7qv5p&UV zG#$m8Z)*@cKqRk1!z^q^%C79Qz`i9&6tm~0mualzrMJc&>1HTa2a=v+)A~--*uIVg z55=c%Xz9tqqjjj3vu!?EV1E?QHBa1u`uX}hF!NO(EunQGEXq@q9tKcsM2CCa^^X~# zK@^;QFqbxfe;n-UqA>kAfQ`Z|gNyrH{E?-D0pUh`>aSTo736`cML=1qtOSFfsgYt14(ksGTOxAy38n9T3ZJ#!KxP*{mClMPohc44- zy*4qafsUgVPpg6m z2GpOf_f8o+FCCkX94)stCkoFOB3z7pp5SVAw|;wzd+CFT-b2t>r3XAXrF6f~CvQE> zlDLm*ZxnRx!;*UQF$a!SZ-Efsfq4*MVK|@mpNA2t$gi8V#P8B2K)~y6e~lF!*s2J_ z6f&KqIR*y{lG~FH35TTM%igvoY3@R zJGYKAa2P+ym+m?JLv>Dn;rg!^t&6Tou@74JK^3;NeyY?-F0gvF9#Foj`E^{Cf|WpO zx$2~=lqf=BqteCm%+^p!wMFs3e`eEn!y-fH)zi`|0nJ%?CIZ1X;X_<0c!Ho8#d-BP zv=|6FzjV(Fzh=Zjcs@1b|8_=yd8E4BIXv93hEgE|q|*|H{sFb5S?)$L8P{wvyr%5b zL3y(~j!#8bZGV3eusa-Y$>Gd}=aYK)b3MlAA?Rne_m%%@BX$N46Lps7(Hzt92h-R-ZQ+<5&28Y%g_E&HWcl0j#-?1>6dlJ-D!fR0m z2Cu>L>Q=3v_-I$E<5c-|i_HksI`OdR(DpFe>>3~E?}+uy=n2l2d}!te%bjhLVM?nC zDYm=E&63e1JSr4wi+SeD4%+kZW`^d@hvZvaPbMx-I3cH}RJop8OiqH;ydJDGqbn-aUXaJws={K4kvHX>iN za>Rj<+zxL!=7|KSAc%eD}W59(pN zgFQu1^pI$lz_|Ur{gV;Bi&-4$Fj|9hcOJ{7v=ZC{I#9}RIK-dui;Ud21%l5a+QJFy3+3GoC@H{YJ>DwoV8H)%HPc~e}8 z0*8%l+grqZTP>(obZqsWjKI$LBS74yQdKq^r$*c*Ph8XqXudgQZh9o~kg53e(txl~ zNpKshUh_r~{5#%#b0fwrTHC#l%A#`pngTOEMDTh*NsCf5$Gae#{zU+OzbaJ`D!epd zg%^G$?+^@wxixCoxUje-e1t;&EtGgV zlvn_GSz|2(u1U@9U(bc{5BrK;PZs9As&L2?&U+3P9_5afztEiWj-mLBGG=QE0?{eN z4D(1+^!?Tn=(&%*f2!$+6f;o;DDyST_JeS3QS>?3UiRg*rBh12>_V4^?Z-!2% zK4xANP_7ychOjmjW zKNNNDOllUgh0QDEIq`o>kFlkil^u8}@WWBpnf4>I`0T7Pao)IZW|ONDFPn<+ob4M$CCx2D}q@gl)+zecn(qZgF}! zEg0BJj_$g0KYe}+YAEVRRrYJ-)-9B-#SPcGcRj+tT~ z(DDS-svgMacGngJ%*FixUZL^5-H6=-ub_NtAVW81V5!8e;|Q57JJNamrJ#(r?ja*` zTxo3e4yMef38|`0aor(?>@>$I)lz@S%Lu>cw9HKjQE9jMI3TOOlqMxA@JvluA5vIJ zajH$=J{gCBI>%4uJgm#>=Ohm+Zc!j6sAVd|(_aBo-?@mSK(zo7?qk7tw$K4e> zv=3`_=_<1@dA%yeOs0f3ntq&6SnXM4=j+!ng#=HpN?Z?87iB$N7x}w7vDy4-^hJ45 zj54u?&=t?cA3G2pIe#}=OlG4(ib0bqUPT=2^(ugCvcFi%Q9a*gO^>hALk6hlUdlNA z#FcF?Nhg$jdso=Ozb`6>-*N6@xgFgZ2Z&838oiCv_Ze4iH|ITt{IM*7=<9IxJ?_zW zpqY8r?db7Nl{zCNJUpk{8YP8G8@m-P9};?rH)q&Lur|)BoFGokw}!~H-(w5AS_5mB`~>ZCPtsoa4Hxxe3Nso9lq7B1>m*a)4bJ{8g3 zkQ1dG-cps~VcvH6vtV3!Ef&#%_SZ>PrF6Fc-K7EMzPI_IuX)JVj&v;^aWPnD}7l%R?-_YMR6;=x8*B!p^hXMrLG{%8nm$QAq zYBcXJ-%R4)Ds&*%=&o!E?wRoT8m8lQq(;TmI}+6WKxD!8U{2V9GETLXVW5D3o8l<& z3lJU-?8v_F<7q|h0%I10jLhzI{^bg8*>LYALty}l^a&Q_!@KUOr#;oZ8u3@U0KXc` z1{U61-Fh)hG}1^}M;-oA4MTUc^`#u@``iXE)IlzG8;&zITIO z9K%3V-(k*vt_w4;3r+fJ%Nf^$ZXi#DZR#x$^#c~*+tBA5IydO3#pm;O?9^oU%(8ER!+po~VP|`y z>j6B=ddDq%`xM~grF-}7N1TcJGNnE8cOJI|!CV;f^aL83ukm*!=R);(X2X4*0Bj@3)`4Bh&*>H`3b;s|1oN5W9DI zqA)ljZ=Y=K9Zot0v(eD3J#TzY>2+zmz^_(YD)j0iMZ4wA_5Q_`r?byX?e zjQHF@yHG%$iV-woaZP_e@EB?n{gyng5k1cK{Hwpt{w1-X_X+}x!lIT(>v?KleK;uu z(5&Q=3R?O>?G1Dw9SeC1?1a~uf3#x{a5W!*j>gt==#7`dpAI$8bD80-c^_NXADc$X zT#GeH-hkJdWUBgiDIQJLv2X?t^cd08u6PGmf{BFT=^Zi*;BvP7V_I8k__jlMMIYFm z&rL|jMqI%@_dApg--9+ZGk<^3+}teNUgO&lyw2|mFuE)A0RHku^C}@|`0jjsAi;io z2QZtxr;Mlc%@%K+=t=?HuOlZwz=-K9qKhH=0HuZM$>r5fwItTN8ajMU-Tl#gw#N!V z6XoHZPC0;G-xl{Pk^4~jDH}ViqMDa|q5-nZ_MzaF<*aqLKdT5D8{`46i~=Q;uS3qM%cP$x z3GtG*W=ikI06mx_LnbZy(8-Y7(26HCz>1h)OGxWUyz9Z+^(0?(Y0Hd}EV_bbac_AR z{8;$F(G9fkA>zsF)5ZD%^)rRlGvff$8>F$UtKS0#daOiwqlz6~FFg3ARW`#mctc!m zpAh{pJx6G7Jf)wwe?X(+K$*L_tzX4JoP1V~?P`ezWC%@3UuMR>^LFgGLivWNJ9z9+ zYg>gY)?*}YUk!3;QoF^zaR2#)#iB|z_a8(02v!B~EO?FY>rl@A-$-8_PuD;Tt-wnP z?|n^`ZFRDIvE{YqU>DQ+i8iU8zkNyv6jy^G3Y5356i^yN0hSn6zt017xb@fggo4$o zUFphf=tJSHiX_uRkY6^6@kgXZt9~6+{9&5;3o7V@E^70$`B2EUPD3Uxygdc?ha$@N zdNJjIGe}f)4Fmvxga77+i{NL_T3q<>Nfc4AAGCL9a85+o9FaZ?p(h%U#JmDymtH7Z z@X3WrxhmbaCYXSRb%tB=VT2l<)ds0y^pqEiOW{(PclaQfSg~Mz(83bTN81_**(g26 zNG;_Y_Ino}jl8Nb!+-VfdIUq^sHQs3z8Ct;6Q*A^OyV%i4OI%s91tdtmP!YbAd=Y% zE$Wfxr+q*gq(RjwQRba#*>lX?Wo|tx<<8F<5Om;+&x4}`-Rl#g^ z?BpavN$Ua)$imTA0R&1h1CFVAyb8O7{1PdwCAtGewDTrud*vaH3Wp3AY}rf&sJXb; zh_ulh*igThHAoPsLs z6@S`Vn`1$#O-N{JPcCuWDULjs4ZqKp(bVN^mOy+D(nzYp4v$37Dj zh^$CoM2^Ej)k6lLhgy@-qeE$v#Fw|tUr7*}qanb$6{`I~9_2^~30?Um>{#|Ylq^@I z1@k4(hJ@bXJB8lmWV|cxRQ8{iyvWHP1q)wKm1r5nTmJ>dJix_T8{Y!&qd1z*Y zQf2iFK8uO~DM2Gjk$%!zdB0E%GSY)AVoC!t>`n5zzsH!hPxGAKuCyD%1fD3VPXAhx zrJ(^zhAF7EMaD^%_|!w`8%QCi-ELwVFexj=(8^G;8DQm5I54`E%HL8NZH0-f`nVvd zkU9giJhEbdiDFyQ78KS;J#a#8q8~qIm0o8vs-ec5xKbCNzzdF;c=%hwtaF+&at&F0Y(~o^%hlL}xlj&4?P?lSm0?9<3X@GkJo%&jN2aq%b5p zr;ciEHX8Sj5AKEQHV-aQBjRKWnP}RYydevk-0&Z6P`SNYXsi3&*G2xj@=t~4={(SI zlN}q$bK;5L5UE+cjLDkV>{k1tty>$DEl1ykg-?@?yiAHr7 zkg5yP)fctQz(6l=JqW|coZHb&Paan$BAAul@^A>7ULrLd1Lhu;AzoQbBL|_Bq3R^H z$Ps^SrZ`b#U#(dmu{Tq{xYg!vVU7~K$@h6T^bpAH31KrJs{u5G+=Yyxw7wg~?H};I zSsyCB3(TW0`czC~Boahpmfx!HehhhB2z0PWieIGWm%hN)O8K=CbK79|WMS=KL*uQTx`i?WJ{TBSQ#&IPe(U+_J^7i=+yl=cJ z@T((XIuSLWbUk%DYqwNw`%#b|Q+y;6gtCoMQ3ELCW$R7=py%w?*dPSnV)>X1 z8h@$!DDEG~ZdT|gn zL_^gQsYU;$t|Fz(y+b)g906#qHj2v(Cq;P@ibi8|@qdK%#dJ#G){6&aW?h(Qs~F-; zdC{KNrd-0jtG>wIo&8GRFvaJ%7#UaG)kFYfuB0wOV=D(E{7%livEs{C(iYF?DDJR% zbdqWAraH~Q+2AMo?Em zLQrVeu^AzAQ8>wNRu%W&;;C;lK$(8Z89i|hddJ|*+Ne!Cwt2_4&5mu`wylnBCmq|iZFFqgb~>3n?@UeA zSKs{DyK4X5x~_E`Yn{1#G$Y@BpP##H#z8;KqD?0Y#7Sd+O7W348V7(EjyABD@Z>H< zM0ny^mo^DN<=wxb-4iy08)ANzgeIsPg9d1rPb%smlj~%~RYm<2;6~F*2U|z&<#4bW zqo~X|+j$!Nz(-p1sinCTC!PdC)z{$dPj|^>9s2iQN>mdL@Q0nr*(w3V>e;fwdfN() za!M_*Hg2ANJ_9Xchj0A@PX%`guIXP&YBmGv37b5*_o1=XSr+vRmesycLVAR<)eeOf zcB-T8R$DcCcIn4-3q6)^QG$igc)ENnlj!HiQg1^nWV%eH?Re8Lz4bee`D_;^=%Is_ zhj5-#o%y$6uV-ro4fHF1@Q&KQt^63@hIXE|{yw}>eS1wj)z3bO%X%wfCF9`3&&}_b zlCZK?RI$6;@@IT!sPfRN81rTq+aS8DxK38lE{4`=C&xU%xHdLjyQb+(aH#1hd5von z)J%k=IlG}tbA70*-KSC=Sx7GDN?6{_g7ca~`}YZ+qERJB%|5T*>xAJBFpSaccaL)lnlbzYtLNctXS~f zne?Tib^1*qkBA8S_|0Mf4EL`$#_067iqs0nDt7nx*22pU`mgVQ^EZQr7z~f4%(8_d zrQ0~b>mD*MQUTb+H3}{ALu^4iA7Vou_nJ<$M|-;v__ekP~#C6E~zDRm8j?lLxx02QUMVwYwO<}YJTXHcQ$2A2>XKc}l(T6l4G92y6k2vn9Q$+x4=C7UJ>liv00EYltS@36DlA7;B5ht+AHzSuOF#Y_6M|mvi5l{X^1V#E=p?LwdCj&%_g< zggM+I1P<-<`d;r&GP{k1DN{C3LZQI}*jC)+pZ8WyxS2B(v3+318wiUiK~o@7y3~}F z!&lY2V64<&`ptL2yj~Mg#lLHx`#axPbKk_;OSyj7d4o$^yJ7r)W5|zZ8#ph?Tot&O zo%Q4SxUQL{(@S0hjYFPSN z_D3Tc#S9EH`f1|e9S9^YnusHY$L|u7B0~d>HZqJADEIVR@X2TGrSE}}@aRMNMwlYK z_I6FvKOD4_i>@BY9W&EiB7`_iTDpc!B;=*{^|tBm{=DcDuB~E@~u$x&vBjU70^U-WZB@xAB!c{6r$McZ_KW?aHcZ zJg|Ak15ff}pRE-mp|cpX4EXzkmbrE*8pJ#Ccp@2%RE(Dei-NQ;>%_fgWv8OA^C(S8 zp&T@-HS5FV@j+yTxfQ*YTN<=C#;N(i<4GQjUz7vCbM<N3h6EHk$bHO)cp^9+TuMwc_Ydw$jO;WKo5+CYW{unc7Oh$&C5>BcHT?VIczXG8FFO5y9Fw|4iV$kjgRviek0X@s-_-#Rz zJILEL4S6t9gKQ*6$(tT3RUu z!l-7-C3m519?BbcParpRNcmLGoS?q0Y|orw$qLgA#XQqa#IRSPi3d?s<33+qb}%LC z{uc)LElnK`D>SpZ;ki0w^Ef=$wYog-d*L4j@hCf<@nu#o{=j)({!3GM9J@(@Ft7fERAl=1Zj2YZit5S zLBz(GJ=o*|R7b(8qTHo>(gzVqhcQxr($z?#->B)g84y#-C&YB`Em$1FS4!!rH|x?S zBGM@dQAD^b*m9}s;y0JwoNBttpkjGnsxR+C#U<#5kDH`#F^E;-=Y*M{N?0`OymM;O zB`3{8x38i4xL(B=;d>u>P);sdG~oMl9)p&gOgOxor;nLO+aJ@3RCJzG3Tg!{;bPm^ z$rvj5{(dEcvIphb=ZL+IHFMazGY6ss|ZCL;#zCe?E ze3((2jM!jmK_^Ya_Nbu+zt6=?P9bg5r0K%a`h4NQePMlIru5|8(y@Cb`Z3#^{MZ7qC zZIPUVc5S*vHO*E9=bU;P#s7FHM+JK)Dv`t4^y!H<*7FZ4zYbS7HZF}uo7%MA>NzuA z1l<~}0yRG;vkLC2Uu|f+A{vLC^HZ>?YxJ+dH}W&ThOO?lHs0-EJMzb@a{r)F#bOFo z)j4uOM_iZ+|LxmDiPrK2MxG6Fb(BGzP~`=tmL*(abpkC;;TW}cR7IQ77xnsQ=a;|XsHl>T10&q#H9d;RJ+Leoz2e1w25oz6j%|Eea?$13z-;$aj4X2 zgYxFu>hU{ZT1SqluU*{Ubckgv4ReF+09RXITij(=7V9bH-yO2B0#7+2{}OnDDp%}o z)v27@@lPwm_uwbt0^jJTQ!^O#0Fh{rlnfiv2_jb>zzlK=kYby`RCjd4i*B~6W)JLPkP4# z5)x?R&_jc;lvpl7>9oU$098(mGe}S9uKR`qmFkBkK`>Mt#0q^gO5k)D3~NNkozlo+ z$l5`&iaj15_}vGGe0|Gd8Tc!*?#oRZtD{o`ja0+oX!WSlMQRNSb}Q~fef+&}BxZmU z3yY$#!ze2nuKiP9mi{I+Y0mEL3CLvDd7ehB{z^>OrCm7#H0WSH(?N9?X4qwGmH`B)r zda?fgPEI$P;h`#@4oCXX0yaK%C}Hh|`PcvL?Qd@^!?qMKA-0mBIw|I{mStyCFEo~zD$(!i>ve1M+qc%$gA|K^B}N6eeY>r$~f z9!O_DUCJwdO|{6YGkUwe-6A@)#&;{C*94f2G11=KZ;!RB5wqctXdo3Rd!Dipdroq^ zbT8?RQa7pPOKuUgC}h79Qaq~0_NMOw*Z|}q5}k&O4?8^BHfVOeAi!m0xqCd+Wd_jV z$Sim8j$3$-ob+Gf=MKGGU9$Uk;#*dCy{J0lyinalHp1nI#h3ss2rH`TB>_6nW|*aq zBL?KDvf$f2Zx@vUB-b(()j`brZ&VqKga&XPOg|tXExT}t6Ne_>9sWF6I(g*anjz}V z<-E4TfTwW#QN;ALAW>-se<#9h0x~-Tl9-NMrOFR36Q$gC5$r4`&)C1Wh(qC@FDg%Q zm-QU5%qjnvU8=-Y zc}w5F7B43ywKBcX*uo6^P}Yyk3@>QW)E^Uxjo@rZ*(r zsTDFhwAQ+wFU|jo?-Wm3jxft;bK9neH-mMUg!4E=BfX{yT4-$jE+Up+68aqk{zYZ|d|ZEWY$Y4`taoa+IC%2^*1a#*Tu_8?D-x#{nsiay z=^R{D#NweYHo7c}##62FX?0Ucb=8iCu?2a&C-J~zc4%Xwj*4sSzm+-z2(auwS5T0j zA<;~DkYL-392s>XqetC|RnbFyFQ;zZi!H{$EA{nwRig#nNV1n<4V zJo>h>q5-%Sj3^{t(_AlEIx0bq8`a3dwV0O4bq**3nJ+{V-?Gfs1irCh1%5hNb|T-u zitiO8WEi+D*$Qd@!EX$0sJaZ7Q$9xtE%KTJsB9 z@a{HaHC5P;znnmP6%^Q?Ddy=~pn$|xkl!VPuL9sZES!d4|2*rmNV-@@=6|XD9B@x* zG&>ki=B9aDKa2^RrE1A#JI1RyWc?*9x{YLn!PiunxT>5u;=B zt(e$DM@H&e062r^Mz?CVYjilm)#niv;L6wM3PN7TY|?niK2z~`t3U&P+T0GswyJC3 ztW_1^tW7m4f4-Y}lzKhd%Tgp+FT^sNtrcm+F&!h{`GwgXdHF@tH82vg{S5Dl+{|iI zF-4&IG%pi9i=L|7d`S<&NY}zdWVBL+hQ*?U2lEQVV^zGT@F6Zj9%Q_xFmFp zehQjLV<$z)aNWod93TKo7LLO}X4lmV=w>KXC z%!~U704pp7GP+l1f_fn=6O@sx)a+!;j>0*iTBlbKbKe{ud_>n%oIl#Y2o z{x*MvM_8+XAT}JmLY@`dm^g_fUPts0RMZPGN)^!z1FGf-v**oP)K?H?GPH3k_@w9p z1^S(^q$3+x2GbL;pUtW{{BawLsk3ADYit(AD5EbeSq5foH+d>*Om&9-*pL=kfo1apCpiE(+jNLs%to2bo}?uq3VEZ6 zb&m1ZeqSlgZ;zQwXM5~eYhsT@s8#xIP5%=?eb9@~M|ktYmzeK{fZyB??6>mt5MRx# zYZ@Nt5rN7!3H>YEZ1n&yuL`h*3E=8ds;=WLjT^ZcJ*Ql=eW(UP%I;B((XZyxe>w6K z2p+WX><0x4NE~VHqv1ytdg`R!hJR`mP+zJTh9_8cXs;+W+pel&=+n8!J1{V#O|uh5 zih`{9^K@PxA5?kO6UV6tDsW^9d9>04x0Y=6HyZ{`h?T~5&aJvsOOyN^R9c~^q41; ziK)mk&%k)n~+CB ze0AFp+W&ZNn|*a?K;i~5r5DBy$Se~ku}N4WC9#c}z*l7SjAK9gn!yw66o4P|LtQ4# zJ0l+8KBY0!!O1Uy%|&i4&dGmSjXK}pM7#N`9|&g_HtsOW z`s2|LAh_vNjHS8iH&eF|yD^KjGo-0$t!T9^wBvc)2~8t#Z-9Hh{+? zk}0qW8Wam(2e|H6oLyRN^Y6nhz!W1O50&?&Ql#5b_HKN}&=mcimP!eW*p_1!1b414 zOM)T<0|DV9wGeNANN*5FIkm`4EDp{Nmosmi_D>u3$KQY}q+-czsPM#*&Cqd6uthog zSWYHVEz(HYa~YmEUq_!NbBkOm_Q2DGt7W$Id3sOmaTE_<&D>0A#?h0-KoxsVT1}%H z){tP-UWhB;MJHv$uwzD4MKEwD3C}jEpC8*3Sx-eFi?1hE`3@>*XQI(y0xPG6@9hR zL^sB?frHr&Z7>C*{?0H!qUQjSR3}kMosNs(M$U|zWetK|UNUEG`mQmmF5bw|qK}#;EpfEvRy8p( zK)cC@Jm$hH*BR&y8!;qqV;RmZn;pI zz7@N4L>d4S(L)E<2bsot%9$E02~TRgI_`t(M4&r!qV;X*6f`*u8A{4(ugB30!4(Y6FJHu{@ahNdER z2vO9OpRNvQ>7&RS-kc+HUjgi6L@4)-5S*EKgKlQsdtQa)Ajo(r?;)Y~CWkB$J|^)n zW{Ae6n=aG@Q>;3yJ6QE;T142rg0^Sf&iSDMaku%U5+y6X6ysxec`3cZCq%fUUAx}8 zWv8KaeBdIpD?`T=th=7sRjd;8pZqV{aeBmQoEj9d7+ZZvq>4gDDbYE*-AXTf}_HxKU)43SwW-VTlRnLKW(_)4Lv6O-;9AlX2pDMv)u$ zw2TtZWZt3b@$7o5);kZe0wq~3<&HYW2^(jR>Q+SOa`TB z?@;jC&5N|r6YWNntD@GS?(LfR3M+Z9MV99o_Nk*?G>@9Rqr z=wW5N$&N})iBapGIO8EYa2ZSUBEn8YNbe>U(=H^uvY%p7@Yrss+~YNGRIJxG2n9_!b8G*OR4(B|Y`F>x zMxNGGlb0|%&e1-bcY^yW#w}dqkWd#S$}K5q9jgU2Ia+SG!fQ-AVY&Lo#=I!*vs)03 zOi@@*5C08YV;n~nsOjlu>k}Ku3|O8%#2-rY1O`cKoP);gU>mq-L2AAC;Vb4^rj4Yk?AVxUy_EE- zgS))OJ#H94nvL#tO&_7^&X;4eSo%zEr+{-_a<`At?vd2?-~FZx33U+oU{`53u+~>3 zIyS}h_F=--IL${^=~2V%kUp5eX}5<~wP}Hc`fbCngYD8yg8cyWTzk z=QINWv3qmBT89o9J02aop0kWs$fOf#It>=wn3s#L8?kdZ5H<8K4?S(jCldgWK?xa< zUcfKjh4MbkhfB`}y($2kboZwpJcCsq2ikCXtdXa;L0oM}Z0>jgZ@Ty%R2BA|;-mY9 zvqwaCz}el4XTo5M;<9hN?C=%6!@ce>KZ2;@YydAXz=;Jr+2I?jZ>A2xo255~ZR-I{ z5*{FpP5K~hu_*FV;|;ZU4c?3lAjR*{GfY6~3_L@(u)fef>f3rziCT;oL8Fe4P8 z0v0z>DAu*HvB7G-5jKy+gR80+3$G3J552-j!p}my98Xb0R6(xlVgIt-mDEd#fQU)% zB6H$1Haj%@B|CAVgT@%(i*JK=n`;hO-F+3lOOaa3e~WUp-<45guNQ=Km%UM<(|SX$ zMLa4Nr-xs|0hj|MFD?n3dXo4LqklEpj7Bh)=Ipwgq>5Pph66Q2nO`d5Jy!8#2Z!h4 z;t&xa3d4N2?7mhv(neg{IpVzifCxC7_CAsWTcy%T6L1{@bP$VOmUoXG45;ePg8qyG zJq>xpqUi_qG&QMDW4k$*DV5t|de3kK3LT|VUw*NvC>6xmZ;kW9^-@yczKxw*7vt7f zXW+CUALqO5X(FW`9A2Hnb!zota%vr^G$ggB8g%K7|(dc5Q^gAT991UD=l^O<6bNX^dNx(>9@gZ+9d1`_NU&sqi zN6i_rDR%^f8@-jhh;a{SdY$@Y^{|(i(5(fTnHdT8!#WrJFeQ8j3C#a%aJrctE46l`!TYKWN%qgm^@^o>OxSyq+Y%orU642)j;v`fNw$mfI)wZc zf)5~!Q|By!TfItFe`uNdo+rWQFGB6i;`6^NDReB?RV8S%)*6Mo83?a^8iyWz@;!Ca zx&2<{%9W~=RR4tLCXofcBpilr<(irWZY%b}xd?(9+-RX(>VH+@hs_^I-1xG07vZ+c zlnzOSKVm)aXMXL*8XW_RfFQ%}_Dn-2r2{bJC_u2sqReiVk-}1mGZ;Su3YRXri(mJI z z2xauLR)|a(gYG=oB1qk)sMqY#G}Wlsvi>6Sh-{#@gRQq;HC`Z0o6f2}gNC~-59!gY z=e$X6VJbry`##+CB2XHk*tNv9$%PHn!e3kv^xT*;xQ%uNy?lC609g>owa55uXRNi9W z2ng1R=H%E!B0i5D%a`(H#g~(X`%=w_`nd!+48mI%P9<^mKkEhmcfuF%RQU{Yg(yXSuNGSFGULLCR$<7WRf(gR zzwjbm@TWeCO|pc{sn1+Gw5Ac#AP9|F$S61KIxLW0%%QgMwrz5Bb zT zri-}6b%0YB>u&+Iba*{8e=G7X=uUTiKDuU?P_@&B9cd%?i$4CH$R+TNsZhS8w&{XueXM0OBR~OhH~b=qI%6c_%$%holChBg z35&Ht(Cb@HoT-fPu^~&T!*9PQI@uflhc+$};H=X=>&z3+LSp2~39YT7mML(Ea!;Nf zG@yD}290Z&v=)>#(FWNbKn>0u`nGFJmEN6aQ|Oj+N92j`q!C3 zg8PvdMp}YI-n>=J5yDsYd(IhZqrU`>e)}_B<@e#R9GUq<^!^r0ANg4F-Oi+tNSYL01GP%A^q!Hw zZzAkRnJUyTroV3GFt|y~c@OjL_lPeNSuygyGPbes7IlG(4+2wc+$N4yk zv|10U!&+_XEiLEJC*%?~EwO&`cOV!x@d<058njpS$uz8&JRcak1d20ZH0?kI?)Pq! z>9pfKLFo#Yn~-O}R|*wrZr+wg4~k#D_M3B3%F>rB<4jiH`R+3mq948=rpO{PVigpy znsNiAx`#akMcW$I6xSwHxx+j?{*)5Y?7u~_y_|Dp2R<8v3vbOcdyUU$<{V+5HroYq zw3Je6b9=8veD`OR;3%%v5;gj=?K`o_Ods&q@4-(-Hqd^CouzU4 zfV=OiaS6{~n+>hTs1#6nFs_Nn${{2r4IUn@;=xMN?r8m7$v$p3MjSJ0J>8P$mo1a9 zLW{}@&8-`uM5RuCdeQP^u{~tWL7!Zyky^^$1g~^iI^DCnsAYn~d9nb_Z zzs!0DW;x5`-v->OI{d#`G23oSNd$A-mds~C3|S|jPL8Fw z#rX?1DPM@%TCCiPcPur(HKlMrRcZOISmI&wXF?l^fQC2r*>4goeD3Pw4O!XzaN(Nc zU#4}0FFIxbKF4?bW7+*n)~&2n$y_=L#?WfTffnEyLhRGFW{#K_y4o_%m3y&YcS=8z@lRZw-o}v6 zQ!!pCb45hT^!~pVrRzPj>?hG~7TRS|w2`;r_%%l{?TyDpf1$@D@(V@ZVMlO0+|cs; z)CRybSK3G()v;w!ysR>E3XB8YV&~l;!E80tKwR`$$k23f(b=;8mi6Pc7@ffKpkg>H z?`LWz2k;0`3bbu{C;|+^F~HS!rj3lb_gL}!8GodLZ!CyH%QnDZxUj~e14gVpf~Jj3 zSKHtk4E>l!7b<5d(IW12QpmTzX5!|a{kbGh^ZoI5O9{?k0U>m7=_I~mvHF~t2=c$z zo0KVct51XIwDdcaN}3VrsXDyxMVnDO&xos3V~jj8cq+ccsm!-_3L-C4$pRO+K{6hp z{#r{HNkcP#kofS6ORNc@L=~YcG0(qh(E`&@i|j49L2DjwEnrq4xoD(c7k%x-q#Xa7 z$HG-vUs%)B#nPIOiJ1QqD9tc_R>Jm>wXmp{xFCCf?MNvS+wd~@Ofw8_kkqZfldhb) zy?mWcH?_m=joUg!kAV4glEk`7ku^ZE8f2JB7!e!>fdw#8V6qQ_J2Z+Hluq(~0!2Lo za&2xRU|4vR$LO=0=t6Pu{bLL)Lk2q6vY@cdQlhn#v)__DHnpi??Nu~RidXvAa=C(a zt>&3cxd!ogUB8-3|2VT`LIl~3C;MqAdxL}WUECF@Sh%TFNnk()oX+c9aRcIn$MvU| z_fH#vX3;jRJN9;4LeEY*aaO0y5>K7Zkdnt1Ze{=)fGG+GcT*8YG7IGsz`1ud_Wt5f z%(}dYfS;%q22H9t_1mQ{te==TZ^(*YY1X`7`hy;0j8{yAwb@r6zA9U{Fm%~Th^gda z@BTR>)!d0fpoVj5G0)#RI|o-Iwg9HMjVLnN@eh0Yv~_<8SvarvSux1o-QC+7g`4&& zak?DmZ=Nux5TaQ~uFvA<0xIEqNhpRLJBotBNS3X#lPxQz0Anzn)7>i~-G8uMOAZBS zmsK9St?XtKCTbW`g?-MU%D`Y3JN2c+Rm`gib3qopmr}w@xyo;vi+Y~L2~9b}tsX~} z22le|A;v6(fhY1Q1ds(WZi{&`Cl1qXNAE&(S1KMZcS91M>{uHVXTa9q}6KMegV zP575d1pLe}jpYO*btJ@I9~j89%t9UP-M^(`#t|VY$wyPNznaqek&(ZDk!xpkFBhFt zy)8m`Eh~Oil$hW&thFpJn(?g5QY4Nc7%|-0>9ooAwqKoAJqelqI=;pz**(hl4hQH0 z89b*d@N2!jhpK$$xmmmB)Tyx z4APHdBVCA`kNn5!laH0fT{8Tiag2|53!xDUZTU-m)O+>t9x{xt4c z+@Dc4jLe4w%0&GA%QaR2WAP7ohVtP5pVrgE&UZks7S#blFb1GS>Lc!>5`DUxYQEpB z_Pv!ODVH9m`KM>gb}LER@S{!0rt!Y6XoVRJEFBePe5&IY^+W=PqHs8u$~yqgug>Jc z5V#pJBAC%FfwO0?ucq8-&*tH6m)wv4ZZROImi>j0K1QB>e#%N8saK=vU>nVhI!5HS zIsIVjs3^<}tfP%c3rQf4aY=VWh!h7QSKtSa6p1j=#kx`Ajko<5gXVGC6x4VxJx^cv z=rGykuwM(~o3J)tH|j-_3hmex3^M;346o)N(bi2K)XS=R1dhxp4U{@*316~iYFO?x zp^*y6JKW56b<9w=*n4X}TjLdK{Bs2b& zGEPZXSn0s1oLdf5R8ZAdxh}~$`2E&qTdzH0KMt<2rpjK0+K4r*4CzSADG;a+!l4R0 zj|q_v$@o6rw(U>pFN!Uv8Zi|p2BZNWFvrvEq)z&WFwij@w3GlCt^2Bg8zH8aS=UUW z<;k#!YUwOYhu?7zUn)0M5KLOFvqIHwiD-3m7dy#d^({>e!zD(f)!EH7kn=s!vC*KV zZrA>EC6l}dzG)EkW{767^hPH37yA7kAn2C|WRLUvQz5j~W;P6@+W|If^CC25q6CJb zo&Cq$boi*C-z}MKin|5fZi*?vM*8&f@F6A|czn+Ba@kPkL9=K&2Z63nYutSNEXWG7 zV2d3_#Ch1P5Arc)ZZsfPk;Ci4=HW^m4?2UvDxUtI=zZl8{suXjzaK^xCeH3E&T<|n zeV=nyycVdE(e?g$U$aj=MJ=P@TeOXtl8;0oi&^MDogThIb~h~^&Jq^L$7ec=xL+S~ zP8a{lz$k$$&${IV|5a^_oJ(`G%FFM|f_By`OKy<_-C^`hj_Tsfl#z!sA!i=gQl;8C zH}l+xTD{EC?x;hc7vuGHn#%E&=nDDW?fH`<;X!3Gu(-;I2^=CHNxQK3lcEvkyrLhw zm(5veiDHbM?tq2ZZaW))88@<^ipEx&r6?*^;kV>zO}ZRjP=P9m2jLS4*e7>Yoib8* zj^OSLJD4TiP?GVLte8#{IP~B3g6;tEA^s*fP_opaj*&j9xqa-sQ7T7PEH!|Dtp?-D zeY51eB`pEC{3xNQ{u+zE*je@|@90V;V4 zjlh0th{{WBHN$OYJRegq@{F0mRe0Lh?_j<4)yVGPY-f8uhKSlxaVp-l%9SBgS(_n% zVZ0UeR(Qk&r3!97h5&_63<4RnX#qww8RYLKf{nH2W|-a2mj#L-Od}v4%St#g&)@zL zy-t|Y(HCo-obUV1ryUnc;QC*+cj3+(LpDi`@2C34Q{(TocfBLNwqX?xA`YigOK3yd z!e6P&7^T6J#XD8%V|e@0YWkC5(Dt1ct)}AS#TuSB*hWX=&is7*oeWy4X-*E;W04+#4WV(b={BnXqV8#WdnZ5dI3sW`!-C;k7NO9{F-ET z2pyd5ruQ-nAdonyV#Wg+Z1%%&7!kPd=B_gdgcSY3aI|W0Q?9?Avq76ya>V>w3_m~Hk)KE zUGE<2Uq;GjG^Z;&MjF3n)nCY< zD(vdbIRx9pNC=kqZ*ny@){mW33_iS5X&AgP>X$1GI zIc-cK?te@t7DIM(yoim+IZCg{!;|!g+SC?Iwmk<`E$s5emO&Ot{Dz#JRcX;#uF<=6 z?ZI|-?Lt}NBl`Klw4Z*2@tJ68(K#KYGGU5;*@3u;u4;+c-Ke#7Q1+XPZP#8YeX^Sr z!sPexd3Z>?@C}SLSJC)Zm(9%3?w~T!LULT~H{R0AbKWorsz@RB?z%{9|EW<`>781& zax)A&77=ZFA$wD!3OfLlhs{=0k)^C2>inCoujkK?DzAU33Y+B#m@Uwkw(Vgh&{*wd#IB)iEQ#H}yH~JWgb%TZrKOZ^j>5oSo-LrqiV%NJWx1K;f8zO0SHpCkZ3&2rf1g(k zrM|TYUnh!jIWmAZDPr zP*QxrfF{7lEhSQ*y_lslM-439Ul!{TKdN^jpY-26d-^c<@GMebG1IE|6~R;lJMq=E zWSmI_t8bY>6VdK;m*4^tIQ~%Znge*N#BV$AEWX7~a4!L@$;$ zwi}JCC6|GNY4(X8D+i?qTDhf94m}*y?Ki_|gi4*=-$RlRd}f!TcPR{^)H^crHPQgH zYNqNa$Cq9X^Ih`l5Y=xzy&k$#Yf6Mt|2be(YjD!z7efy_4L5=W?D*Rvy1rh|jXC#d z7cA3ft)nTs|406^rRb{bm3l^5Hq>@y_*-5hy#MfnUR|o{3^k<0eTlsQ%-`h9J*CrJ zJbuQyq7neE*Tp$nM^w9poNmse3{npAV*Q3Q_x+tAJSv;vlAlx#TU|UEyMbDkT-LNs z#XeNMyf%sleeF;l6kNOVu52x|YxZa~%Ce4n1xDt;4kHsVF|nWDZgsRkJGDChDLL68 zHhJ41Wk&)5qJR3C;JC5XEi4B-A?cztZFl%N>{?iK@7|Mm}}I1?h<2Q=* zo3YiB;hmy_igI~~;B*D|ZaRjSdwXA0QlL8h`y^B^fkMc`su z|1Bz-`X&TAftyr^fwVv^;Pcr0TS~^wa7TZ(nd>TDSv#eN!9hYRQ+manGg2GG>MP3S zEIDhbKY{8V6t-h5k_$BD4;P9rV&_Z(F0*j-t00!k17C;G>$tJdN4hc;`;>L z?HgERQ-|oLzE?rh5aA8|nX5s?)GakKi_Mlq5NNQjn4w0EYla&+c}WW%1|u4{rKPUc zq9zUY)O3uf9_UV^KrLErS*0k^Uy5`X)h5kV0dfOcw4MFl)Z}%;1)>R*uNH=qmZ4KE zCPiX=b;~$?Giyp8tjOyn)fRv@X`Wd7!7|6T&FgO1P3LW~4XH;)+jf#KgDn!Xi47n` zZh>eQ$(2&^%o^_=VN0*JzqJ4Mcpvc$)ksc+L<}9>cs1X}iq-RM9S7N?i+){nj%G=8 zv%QWmYR(!?mt!$SBM++lC=-T8LIDOiZ1fTEnW0I8N)d!Q-db zi~*Zl{lq#3Dr8e4n_=j!fwM+QgX9lQ8c#(Daw$cap`N-iy!)BWB11T%mDpVp0dqCj z9%^#!H4IUjZV=w9)JzUrAdwh>*h|Ys2|9UKMOV6pbdLO_4s|b$Ve<-SC~(gdDNVVp zVdnNpC-$N}j?`PE((U=@7c6wgi#u!umc(&2DtG!#%dEE=GUCy6u3H4dAEPgGI)9cB zV%H(*K!jb;7nISza3K5A?Dk7~`6nGlN*AWd+s7}o)HO&3RiP-fhyBrYsSDnh4pUga z^+$|jKj|y2n zne~q&lL~a}+qLJ+AEfvAig?=|A=%BwuOf-4Vmz|-egpKrMakvnHUm=Q_|gBd;-VIT z(8hxQ6XTSKX#TGlSDO9*72{aM4M&>J+_pZhi%^1Tz)8Tiw#GLoZUce?guoTU3lJiM zdG4-uC;5!C)RU>$v<$;lX6@0dHy5gXw>(kwkvE$0uo@lAh$$DGe4O@YN((P$&!7Yhf`Xk1V!PXd=HH>-1w2jd9+nNb zoDKSGcN^~qsAL;6{6c4&X-Tn21pg!Z36a74@P-;f7!NfE>1Lz&{32Vn)B%&p7Bk>3 z^S<7A`1I8U!!-B@j1a?B zzDlZ1YJN2oE_O@3ObY0&Loq#WcD4v=s&XuC4iYs;#auq%h9rQODNO43Jbr3GNlMFv zca&*_^{Wyuq`DJit*8qX3Q@nkOW%s#u^JnE5a%OV7|WNiU4-%W9Ka5Uxx(=e#~L{q z0wRM65omQIF_U}?;b^y`?@*khpR64tgg^g3kTx=@5yVxQP`6#UpJtBMR`e1>A~xgT z2er^;O=BtzxN2jI>=|jsrr4iOtEgqg76ptcC+Y6w^HX8Qg#C`@5L7$HR%7>;NE_ET zk!7*TDot!__pVQ%(ZNP(BrD9Vcc2_;nHIzoRPBW122TGTRi+@`E@5B&$#n^He+Yd(^q_LCN zDgd2mhC>)VgZ|0>7}NnWyEGdMbPC#F)L+f!Fop@)fADNnudU-nkQa>>WI(NM5I{l7 zw7%n{9i%v+Ck1kDHXLgJHN%Y+CFtdDdeila@G1qNbA`g*^}Ef^-`q_}7r5HCRcJ*5 zlUAnfT~Iv1u*$^%%@@^5BbteVKmk>nYHPa9vrU99k9;wnk`FXR!~ha7BNqY>3lgd! z=>UyYFs}BdC1yHf$$oZR$Qpw|m!bBU_CE_yhV9vD#HKQrXPB77YnEyTN5}@fXFe}; zjHhGRx30}NFZBhofrckmo9L-EAEAF-o|(P-%8Pn!A;$@0U|&@|Ev6L=sS+3h*H@WV<`q)({xR9>wUECOfxfOXg5X?vp`rm zi8tVaDByB_#Qc6#Cnk@A;_;EqxCC>xs*3B73a$$|O&fH3z@(jaYKTsEPZMdowT|R+(=F@H zyWjz-KlbI%Zz#!Pr7>kb(uHe{#anS$hmk-hqHx#EyTu;wch}EzFcN|8%_0REBzybP zc);OAs>4U|MgOp42>O4p zBMwmek=pA&*pUv5CrK5U0Te>hY?V7UV8N-$IdJIvjEn?tpB9#ax(*j-FrKE^dhv;d z!nEZhSvDz6`uZ3Rhid)Ylx6NH!!lM{nN;IZ8yl+v4qjSJC|=3pU>EHV#g(_u$Nr1N z6=t=iHFTO-yO}xRpYYQx^&eTk$^R*EyHypc*RBPhlc?I*1q#mK_N3s?K-(Qx z5QeeTx~rh3eOLCLoRy0=CSne=eo(ATL*EU7x?*tri>L|O7vede?j7$i-ZX0`^r&3g z(A+X39cce1w-{xn@48sZ9SA6>8q&rvDq!F&8n8?F0OD?7fN_lpOKFQXBQ$a|)aPiY zZ)AcGckZ_W!kjvpvK@;K1Z>milJyWh(T^%Y2(KRJ##~k#4}6jkoIuFC5#RWKI{ z{V7ejzZdpF-j4Rjgolpxq-BJzk2{lBZ4{&@CvPX#Cc55guF|I4?+<;$CccqfRE4_3 zw!U0~V&WYY%P<*_B=b|hZ_N*jfVYbyQ(d6X1FCDpBg zD2M~z%)FzN_xEu1#rxYrIz2Ah`=pNWgH&?~JNxDC)7&pVRXNRu30zyhpmBv$ zdLXPei0fNV{PV@H*ZEcm1U1!@giEf;A`-bNXMaE5d|Tn_;ws0N3*-iq4du#Oyq1rdQfr5&yq)sI(S=Q35WZaK7Q=DE|K6ihoqmgu>f082nx~+HNg=MWw*CK-NP@)+uAB z%U(y5w%St0*-65#$S3f?hcM5PpebU`_3Y?F`0*u6?s~hyOJmmlHl_aE8i*)=s-*3t zw8uEF&6)&WrP9YsT(}>`u5Z2a?6cK+hTzo^iBBBeff`r5-GR6quxYX-Ph1bIlYfqY=vJL&my5HLs%QxI?&~L;qh+?5v0zs-3BtYzeqjClq6P zG}|t$`OcE&uIX2u9E^usXscX!yQ+P@aDtNz)HSdwKMAW9Lsn(#G?>zr-wn0EdR3M+ z=bDXA9Gr3VrIf}>{BC_w(da|#aiinWa^9*`91_T+Y$`Y*GS|QDZT~(5cQFx&pS5sLAW0_%_QSOR}R29p?@116=Jss){I2OD0p+M%g@uNn+Ih<(MxXi z?+J2c)oqFNPa0NBlb}j{^pVVUHL==FDJG0Bkn4U>gFc#;(|dMyCVifivx<-dReM4- z1z0!B@(U~6=MC;dzsX^veL6V$4{g&9shBNLn(p(+X2B1D!L4frS=!}a$DWueHtX_y z{WF6OC9?%a3ivL`Lq2Ns6Q&$*uT2?TxUT4?oxC|-lO%P0OQ*=0GgGTbVGnwcpOD24m4%a@BHqY#Qb=Y8BRt(~u&k(=mMo>zGTGyUDXgBr-1>+Y!M(dR1Qk@q7^=8# z&}ojvb>a5naQoMGt|~^!Qaz}&cToJKO`ur1BAou zC|o{ph8NWI*WqnI7wBlK5bh_jwFDE#plK~L9Akljval`Rs7ZV2+-r%*Qu7C9-_wvu zCY`8iQG)MnM@h=Yf{%531v&bIr-v+wG{Y@bsncYc#H#3uPmGA1<3=jUKIS?p&}Mi# zBhC9_BP^^R$9AcUVd;L7#p~vqCPFpT_WPoO#+g>1F zYUD8l1C&i`#Jsc+8JQe|Q&mBXgPz3gqv1=*NA4tZDjh{9g9%b+C~U9^o!_YrP?aq) zy&a2#<^#TVIPCm4lNKo-ICnnR=`~;a^}AcD7q8NbC2_DDbNVzfx?kropwVGht%E2L-y~n*yy7 zlF&S}zH(Sz$GgG_!Pkaq`&OX>$r*~7J?N%csEbXsH+G6S2IL|*I;16r69U$Jtn`*E zKh7_r*>}>T;yVf)H5Jxc{U1Ww(RJ(dYHS-Ja|8z7C;TC~X1c?4EYtDPLWll~T7q7M z1-@T`f1)>4u^g>u_UUtW6=|rQOH>Apz`k!M;*1#~Z!F?$$~W7@>|$Gn67&cA9BxCk zsXB)e(d(cLsnTrSU=G=Eg#V4BRTKXQM>i6^(B_7TrB&%@M-GhF=|E0P&Rq6SS7OepTc&?sV_)_JmHMZu*TWL(kkIW;#Wi zWO?$!?1{8UjQNK&kPK&pVl;I{|DGaRRQ@AA0bhY{>MpS}=8o78HY60TsNI3slZP)E zI_F>4zO+d}g$%8WQaNhr#GoI&mfrwL!K&qQYR0Z`1?oN$`fdv~hdvwIKpbihmD-U+rVV9DC_3P5o zt}GEV%Qey}b?X($q3pskZX#^DMb*;O1I-TA)>BhJm_gQl@{f760wbt-sB$mb@aPsg(+LHfZ3of1Ns;Q4ujz{C%siukS2K#1g8U6q1CmNZG0; z0EM{2TwSC*SxgsC&27>}!QkG7+~&qb`yNZr){#1tv~Kx7$UKIklx{~g{rj$)AlG*> z#gOrnZ!Or-v<~%0KQ%^v57LM&T#o+TZG?>S8{Gm z(qwV>ynmxcGH0a}SKQa=z2?%4al3?>`{=!TFeK0Bx#0!mn{{0KG$*9u!71~=t`5g! zkBBsZ%xLwk+$u=}QIr~f#OvGI$=@dy=J{EZS|%|8sP^pd);uiFNnA;anz$y1T(L*K zzdq}E#b&+=WrjA3SSq&6Pc(*D6mB4AFG{Qz0oolDB-XnD3&T61<7pKp0RFdvQ7jGN z>bdY{*a?S4t%l**=C=b2LQiN+*|nG`m8uWQB|wscc@Km0UL6bEUjw1KiohmCg7IB+ z78VRybSGd_(3hC;j#?r47E010MLG$mI9B~8wd&AO7L@)Gv{|e&tdMHof6P6#6B$AK zznObDYt5*Ur&3m@%rYM|ik-yDsQDU?NJLuntWR;c0?^B3l5omYqumS-qKb=jnxwl+ zxZ?O(B5`25co*8!?!2uS!jLJ>GAcJ# zImA(m7#W`^Z)tO|Y78!yI=Oet`C7=v8XHQB_p?B8)tlNP-17UBwjP!rn{p6`4Ux{0 zSAX0J=^xx5RXx+o`ror5Os*wCabZ5|u^Pk*{i%%_x%x`th&=g=V9}-|dJEi`MPxRq zqq{i?Wx>#^EerFP1JT=8<1ymWO%n2W98^dC*J}p!V>2K|vQj=|mFWn_k9chf#Xp36 zZkRvd^7%;Z`D`oN0`bzn5$Jt!KV*QOFXHWYzqW#$mIwan~I?)4GDC0i*M>2VlB(XKivV04BI^> zx}196W86>DPp2`?*uPP{v^nCCJm_5b`Mw9+^feX)tE8!tQpJBjxEtx<_x1Ji@f7s& ze%@~`gyvFr2}>5b#=0Ot(}?`bj1UqLE;&5!EWXuew?-QCx^l=~48NtyEOp@n%w17Y zopP-cBmsfu8_ZaV;;oEs#;r#RhK%i8P`&+KLg^;gQ@metfH_h}Ez z%PCH^Ax55U=}FZD4IL_Y^}IDV(B!%U6bN1qN9UUt;NY=IMNAB*6+cxksN(DH`0Z>f zvvB%nQbEx548IQZ@V!{T{Sr7yJyca=Jd`PjR1k zC2;imcv8I6A{7N+|EjCfe0+rNd89*-!D5IdR@GN1OY1i;D#DdS9LxJODg*x#+Z3#2 zUkZ~6^HbO4cde???1HwlSG+Ypz0RRn6E~DmdVc3}IY8*@GhOXPjWPu!p&R7v z4)X-ZR}7RvCiMY$^5vcVTAlH*e&RJTthW<0J0J+8>K)!y3Qig?G(-f;A z&)I+W|L(Z)akIMf$%@yF|JiGiqRwpXeON6`{WZYv`IolU=(^NL-U*$xM`MV}R)&UO zUsQZv!}I3&u2r{WWQTE?P5M?wac)CsRO=XpX(ts8Hb%<;#`sQ*f^p`J=b3!HTqzTY z-{hs^oY3xhqi-e{=I!pD!H4&G17EiD5*xR(_W>I-aqm?TGFl31zmE!6cgdI|HRm}> zI-a62)<`^4HsvG=h&0in)DEkeqj8YH&i~v>=vnrOx$tyzvFH1lcD@q=g3~_T(V+CK zeRE0$bES?I>k8D~;C%9N@jib#8poGG+Wbn8ln${U<1uh`lu-Ly^tff7C8 zt5dpSo;LJ{MF~O8@+s!njbXr=?tJXhd1pQsZhgTuo>OHf%Lk+( zsJY}{T)@GSW_ghfXE!x7v(7&w<-2gkX3D$` zO$T#KOi1Vjv-L3rRjwy1d|QmFpA{2-pqgNmdJuDlmZ9T#L#&p`v#Txy06Nu?d^sT% z4N)fku>576oP)Ohv&-1p>Zi!!o2 zZ>SmGAwO?y&CpGvy|ujLLWyyjsl|~b<2Z9Lm22#RQrQf6#S7G-iWl>)IJv`3aKD`aNi@!OP?jHK{Uni9z z`jK4y5KDVlp?f4_D+5MCeUm`f*MVgmcQkA&u33(-=uV3)ojwOW;~#DkSES#3*UG^& zlp9A6VmAUoYp5l1uj@#9mi%Q0Hqo{mhj28$4d%BwwJ}EE6W=9r|3>m+gWa>`?)qg2 z(#Y)to;@LCHz`&IzO72_%}}By+%8tUzMT(6Q$G7YUq7Jy>$5YxpTt<(4reWdu~DLC z3p#st!J&=#8l?a_OfY*B5)s|Om&k}0`pF%)H0Jrj*Vz#s`Qt+nL7`2zF~WhGNPQH+ zFZp!pkHBUGAGc3cu$}R%?6grg`;N+JK?iQnoH=#MFln&+raxUxh1uS-R@SYL!*hIn zn`FIKan@2vYuc0cllQdsJ&A~rdwRh7?$W#96K}2Nh5mJav}d;V=Ned(tgW}L9*gU0wJa zK%hFppt)}=kjt_f{l2g3WvL4R245HGVjZ!->!e5_8KDft@IZ{3qR4Q?ymZW;@ks=g zS2PZ15ZCL&$8mGS%WaQ6DT31*OZ?DkvmrxMr%5j7m`>$Zz3ZvU!F9fH}$baxY zTt4btG224NJJHv+yJL<>=|>0J2{myt)cNEHlP$V^Y?_}FQSF|RAS)g1^{n8J?mAzu z7YC@4>CoA>fo-`3KZSHxrz4LpEh$vD$%QEzEA$?tIJDEl1V2lTxyn6gUr^`EP~PWg7#>X|7wTqc{A#T?e*|! zN31RQoh69ryi|VUV6GO*oanV3ZdqL{)<~I_Vz=@nH#e}dntua&Iy>Hn9Qo&o`1;*H zFBzbt=Zkti4j%fqsCXPU;Pf#a3pa#`|4kZlKM+&4i%JV(Oce;lxhk87w{eRUFzkLN zMB%^wSBz1-Xm;VXQ+&Zst~&6cd{>X#HNCvbf&0E$_Y=c5UG#M7 zfH$Lh-nu0~bVsvv-)}*qY%|{qnq{0ApvG4ZVcnk>#5QL0yfW&=-$Mb(|{6hL>~E;UD;gon}bndbj`fn_DM(-FNUzkhWxd z(&R9r-i3$`!SLLY!K=EPF*!ed1;hMBrB6kD0w$o~Z?27BTrjT^i!yF5uk`V0z4Az6 zzTX(*R{|KzD+o1zvd%5>P!{{*_paY9J^$-W_%ariO%PhWlmk=Npig>oF?OGu+~D2c ztoSXe=M;ql!8HVYz?|herj&(P(O216)fsgEOQhViN%sJF>q89YUjXCMXg99BUvabj z#PMgASLCHL6&#;XPTU#?&h?}-Hn9r0f&Jc0Fdlxp=QtLabc7+7k}oZh2{FrZ98*Q_ z2g{>GPsK`S=4umX0qjw6W-beY_$RxbFQelVhA0d=u%yUaHr7hP=RV5D79u~(^A1XnDo!>KcWQQ`X`;6!+lMz_^!eH9H|PQHgOSN$rLCvjFsK; z7GahzKJF;u7hA@c5_@D1G0QGIAOK>&xc0TwD!Z$D@dF+D{xvh;_fgnLw(wJrn{G5E zl4JH>;77D|!kOnR<6RAtf^i0Px68MkAFiExpKm>k&2iUr>PWkf137h>ZPO7bHy5V`d6&}Y?6YQ zW4>C$^o%xZh3+MIC@)+vsSCM~B<{2q8R|xLr{GUyD$i+ zk{d|1N7Qtcq{9*K69({{szYijotGH*12t^W)GAOt`tG($%OjBn>x|M6jG`je6w;Y; zHiF*T9SH`5MLeG&a?qlDn|4q{_b?%3V`l3j{68NG9)VK8pIMAdZUwGX*Yz|d$HRc=;M#Mo6_sJ--$I*ZPs=( z+CF376@qX40_!WRDBZ-B7~@Y_~<8Y~Z!aac;X zRYz#Ilnh{AG?BK#nw~xmlZHa>2I#~~z1@Ug6Fhc*bUx@Iy);;={TVbaYB;UmI7Jls zE1#wSp0DtaH1-QC?_JSKoxQox)zdw!SX&j^gk9jxQ@K(F)l&+GO+J*MKl10{(zSbW z+ngWG0&|ZWSKhC0+huR*V`#yOZDH-N5>W^3!};@Ar<^ld93x#5pMxz*A|!%xuv7Ym zBLm4ce<~aLYaPE!?SM$@{Iy&o!;$5)}RHi60d)VV! z%?YnUAJ(K3h&q6jFR z;bqZ|@PUk`!He;OPdy5ia^fT-W~iL_8jklg!9xYHn5UpDu~`mV!LKHODa~&I zS_C|oGG_Jg@PJ5n?!6jvBQ&_{4Elh3J^R;?S-7LPI}digngnx4Fv28$a2Bg?MzU~t zbmBI!e>usF;RYoER0!%1eK zI^wl|_Ig8kZ}~&hp_NaOOz%k_4pk%2`Tz9~X#?`17fLq*^MR-<;U-Sb|q=GXQ z&iZ*?>hO^2lGB$#ER5YMz$ojR!Dfc40El)^0Y&x6&cjM*LQ!FAXB5VyG z<_}Zq5uuXmxU}ExeAFw5{doiE9EO`AtS&-3R2PcQ;7{uCP=@5%eW)6^Xl+P3>MFJm z*}00Dtf<4)H(`d;@Vg7qcj=VSUsUGjM*YnZRhdJV97u12UIGjY!TSmE7}X z&<}Snvr*FRz7Miear_w|eA-$do0F?3-CR>Ry_B=wXvQ7r&l2{uuiZ~t%uT5Lji0an zP*V~Flb0bZqm)mZ-r|t6i|pbWS86}psUNyUp|D3_&+A9|Q=-6XvDg;-$tSpxlgn)` zLo+MV&z7x=;^n$P`(od5P~HVg^U7ZBX=S3o5)uLmojW5}P+1#?)P%ehIHX=I=8JzcSympxO3jJd7H5$KbQCLPa)YKxydZZixH)_-kSqblD@_?I4Jz7gbcd@fg;#+`9hl>fg%1!mFh^@sk#Z>=x z$mOYF`xUgJR>b`H?I0Z<=I3jjZGVn-@4$_rd}0C6A?@&0*-X`*H%oQcRVuN4>|JR@ zsm7`UO%RhyFAva>c;_PGB!U^lfWqudnTCd}Q#Hi=Cn)W5VlI>gZ^5o!Fgp8?PU3%QgbC}m=eujjZ^GpFy^L#>1-`xu=CSD1un!iyx1Rk>SHVB zLL0@99~-iI2N_RyH0*ag-7h8-I_HEtAuOG;qMF4+#&bOC7IR}@gc~B^-OjR@NtNle zNC0(g<~>6_&-j6oB`)k(2ADI!6Re(4*6J)*)O98g)9U$2Ktw{HdZ) I${0}p1t(C-`~Uy| literal 0 HcmV?d00001 diff --git a/golang-external-secrets/values.yaml b/golang-external-secrets/values.yaml index 6ecd32f..04b6502 100644 --- a/golang-external-secrets/values.yaml +++ b/golang-external-secrets/values.yaml @@ -37,10 +37,10 @@ clusterGroup: external-secrets: image: - tag: v0.9.11-ubi + tag: v0.9.12-ubi webhook: image: - tag: v0.9.11-ubi + tag: v0.9.12-ubi certController: image: - tag: v0.9.11-ubi + tag: v0.9.12-ubi diff --git a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index e6b3d6f..24dd79a 100644 --- a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -641,16 +757,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,7 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -739,7 +866,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +895,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +915,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +934,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +945,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +984,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +996,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1120,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1166,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1178,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1189,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1264,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1311,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1327,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1378,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1404,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1415,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1444,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1482,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1517,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1562,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1573,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1585,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1650,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1662,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1708,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1732,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1748,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1481,26 +1769,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1811,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1895,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1907,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +1994,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2006,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2049,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2094,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2143,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2188,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2200,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2241,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2259,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2341,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2363,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2373,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2402,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2417,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2436,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2447,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2486,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2498,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2576,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2624,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2675,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2687,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2698,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2780,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2303,32 +2835,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2880,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +2895,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,7 +2911,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2382,29 +2937,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2417,23 +2984,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3037,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3049,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3070,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3081,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3105,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3126,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3149,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2632,13 +3238,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3264,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3275,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3304,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3369,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3394,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3430,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3472,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3483,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3494,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3535,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2916,13 +3570,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3606,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3617,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3663,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3687,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3703,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3045,13 +3727,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +3760,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +3792,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +3836,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +3898,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +3956,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +3967,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +3991,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4052,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4094,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4106,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4193,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,27 +4205,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -3430,13 +4248,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4266,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4301,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4318,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4333,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4431,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4476,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4488,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4529,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4547,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4582,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4600,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +4685,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +4703,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +4740,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +4751,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +4824,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +4852,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +4884,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +4938,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +4966,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +4986,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5004,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5018,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5093,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5120,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5154,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5179,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5219,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5255,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5272,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5318,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5355,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5376,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5391,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5421,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5436,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5459,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5476,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5488,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5502,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5599,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +5626,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +5657,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +5675,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +5700,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +5733,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +5751,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +5783,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +5809,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +5820,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4755,7 +5861,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4773,13 +5879,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4791,21 +5909,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat @@ -4833,7 +5959,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +5984,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4894,7 +6029,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6052,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6062,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6127,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5092,7 +6245,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5122,7 +6277,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -5155,7 +6312,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6341,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6361,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6380,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6391,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6430,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6442,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +6566,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +6612,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +6624,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +6635,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +6710,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +6757,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +6773,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +6824,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +6850,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +6861,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +6890,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +6928,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +6963,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7008,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7031,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7096,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7108,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7154,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7178,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5897,26 +7215,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7257,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7341,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7353,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7440,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +7452,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +7495,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +7540,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +7589,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +7634,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +7646,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +7687,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +7705,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +7787,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +7809,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +7819,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +7848,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +7863,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +7882,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +7893,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +7932,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +7944,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8022,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8070,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8121,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8133,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8144,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8226,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6719,32 +8281,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8326,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8341,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,7 +8357,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6798,29 +8383,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6833,23 +8430,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +8465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +8483,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +8495,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +8516,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +8527,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +8551,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +8572,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +8595,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7048,13 +8684,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +8710,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +8721,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +8750,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +8815,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +8840,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +8876,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +8918,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +8929,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +8940,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +8981,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7332,13 +9016,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9052,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9063,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9109,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9133,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9149,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7461,13 +9173,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +9206,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +9238,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +9282,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +9344,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +9402,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +9413,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +9437,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +9498,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +9540,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +9552,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +9639,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,27 +9651,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -7846,13 +9694,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +9712,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +9747,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +9764,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +9779,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +9877,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +9922,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +9934,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +9975,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +9993,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10028,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10046,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10131,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +10151,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +10190,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +10252,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +10310,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +10321,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +10345,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +10406,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +10448,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +10460,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +10547,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,27 +10559,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -8504,13 +10602,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +10620,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +10655,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +10672,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +10687,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +10780,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8626,10 +10816,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +10883,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8802,10 +10992,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8842,10 +11032,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8886,10 +11076,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +11097,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8927,10 +11117,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8963,10 +11153,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9002,10 +11192,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9023,10 +11213,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9047,10 +11237,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +11252,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +11270,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9110,10 +11300,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +11315,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +11333,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9160,10 +11350,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +11365,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +11383,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 3fca772..ffcf6cb 100644 --- a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -641,16 +757,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,7 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -739,7 +866,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +895,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +915,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +934,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +945,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +984,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +996,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1120,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1166,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1178,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1189,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1264,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1311,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1327,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1378,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1404,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1415,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1444,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1482,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1517,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1562,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1573,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1585,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1650,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1662,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1708,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1732,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1748,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1481,26 +1769,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1811,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1895,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1907,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +1994,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2006,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2049,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2094,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2143,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2188,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2200,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2241,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2259,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2341,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2363,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2373,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2402,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2417,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2436,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2447,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2486,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2498,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2576,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2624,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2675,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2687,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2698,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2780,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2303,32 +2835,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2880,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +2895,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,7 +2911,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2382,29 +2937,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2417,23 +2984,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3037,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3049,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3070,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3081,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3105,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3126,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3149,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2632,13 +3238,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3264,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3275,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3304,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3369,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3394,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3430,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3472,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3483,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3494,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3535,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2916,13 +3570,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3606,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3617,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3663,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3687,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3703,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3045,13 +3727,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +3760,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +3792,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +3836,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +3898,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +3956,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +3967,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +3991,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4052,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4094,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4106,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4193,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,27 +4205,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -3430,13 +4248,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4266,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4301,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4318,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4333,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4431,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4476,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4488,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4529,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4547,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4582,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4600,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +4685,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +4703,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +4740,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +4751,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +4824,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +4852,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +4884,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +4938,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +4966,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +4986,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5004,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5018,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5093,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5120,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5154,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5179,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5219,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5255,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5272,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5318,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5355,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5376,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5391,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5421,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5436,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5459,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5476,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5488,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5502,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5599,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +5626,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +5657,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +5675,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +5700,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +5733,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +5751,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +5783,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +5809,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +5820,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4755,7 +5861,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4773,13 +5879,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4791,21 +5909,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat @@ -4833,7 +5959,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +5984,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4894,7 +6029,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6052,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6062,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6127,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5092,7 +6245,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5122,7 +6277,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -5155,7 +6312,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6341,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6361,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6380,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6391,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6430,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6442,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +6566,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +6612,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +6624,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +6635,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +6710,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +6757,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +6773,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +6824,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +6850,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +6861,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +6890,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +6928,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +6963,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7008,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7031,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7096,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7108,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7154,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7178,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5897,26 +7215,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7257,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7341,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7353,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7440,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +7452,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +7495,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +7540,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +7589,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +7634,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +7646,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +7687,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +7705,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +7787,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +7809,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +7819,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +7848,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +7863,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +7882,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +7893,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +7932,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +7944,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8022,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8070,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8121,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8133,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8144,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8226,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6719,32 +8281,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8326,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8341,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,7 +8357,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6798,29 +8383,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6833,23 +8430,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +8465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +8483,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +8495,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +8516,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +8527,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +8551,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +8572,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +8595,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7048,13 +8684,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +8710,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +8721,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +8750,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +8815,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +8840,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +8876,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +8918,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +8929,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +8940,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +8981,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7332,13 +9016,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9052,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9063,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9109,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9133,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9149,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7461,13 +9173,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +9206,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +9238,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +9282,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +9344,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +9402,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +9413,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +9437,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +9498,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +9540,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +9552,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +9639,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,27 +9651,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -7846,13 +9694,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +9712,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +9747,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +9764,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +9779,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +9877,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +9922,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +9934,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +9975,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +9993,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10028,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10046,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10131,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +10151,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +10190,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +10252,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +10310,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +10321,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +10345,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +10406,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +10448,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +10460,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +10547,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,27 +10559,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -8504,13 +10602,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +10620,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +10655,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +10672,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +10687,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +10780,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8626,10 +10816,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +10883,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8802,10 +10992,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8842,10 +11032,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8886,10 +11076,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +11097,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8927,10 +11117,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8963,10 +11153,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9002,10 +11192,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9023,10 +11213,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9047,10 +11237,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +11252,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +11270,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9110,10 +11300,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +11315,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +11333,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9160,10 +11350,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +11365,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +11383,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 3fca772..ffcf6cb 100644 --- a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -641,16 +757,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,7 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -739,7 +866,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +895,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +915,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +934,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +945,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +984,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +996,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1120,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1166,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1178,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1189,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1264,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1311,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1327,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1378,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1404,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1415,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1444,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1482,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1517,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1562,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1573,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1585,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1650,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1662,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1708,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1732,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1748,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1481,26 +1769,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1811,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1895,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1907,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +1994,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2006,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2049,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2094,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2143,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2188,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2200,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2241,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2259,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2341,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2363,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2373,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2402,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2417,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2436,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2447,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2486,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2498,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2576,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2624,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2675,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2687,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2698,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2780,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2303,32 +2835,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2880,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +2895,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,7 +2911,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2382,29 +2937,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2417,23 +2984,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3037,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3049,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3070,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3081,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3105,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3126,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3149,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2632,13 +3238,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3264,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3275,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3304,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3369,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3394,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3430,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3472,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3483,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3494,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3535,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2916,13 +3570,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3606,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3617,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3663,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3687,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3703,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3045,13 +3727,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +3760,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +3792,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +3836,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +3898,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +3956,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +3967,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +3991,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4052,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4094,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4106,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4193,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,27 +4205,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -3430,13 +4248,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4266,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4301,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4318,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4333,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4431,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4476,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4488,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4529,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4547,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4582,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4600,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +4685,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +4703,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +4740,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +4751,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +4824,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +4852,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +4884,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +4938,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +4966,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +4986,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5004,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5018,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5093,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5120,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5154,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5179,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5219,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5255,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5272,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5318,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5355,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5376,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5391,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5421,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5436,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5459,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5476,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5488,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5502,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5599,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +5626,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +5657,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +5675,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +5700,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +5733,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +5751,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +5783,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +5809,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +5820,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4755,7 +5861,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4773,13 +5879,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4791,21 +5909,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat @@ -4833,7 +5959,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +5984,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4894,7 +6029,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6052,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6062,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6127,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5092,7 +6245,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5122,7 +6277,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -5155,7 +6312,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6341,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6361,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6380,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6391,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6430,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6442,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +6566,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +6612,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +6624,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +6635,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +6710,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +6757,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +6773,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +6824,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +6850,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +6861,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +6890,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +6928,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +6963,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7008,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7031,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7096,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7108,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7154,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7178,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5897,26 +7215,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7257,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7341,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7353,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7440,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +7452,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +7495,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +7540,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +7589,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +7634,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +7646,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +7687,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +7705,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +7787,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +7809,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +7819,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +7848,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +7863,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +7882,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +7893,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +7932,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +7944,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8022,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8070,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8121,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8133,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8144,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8226,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6719,32 +8281,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8326,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8341,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,7 +8357,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6798,29 +8383,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6833,23 +8430,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +8465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +8483,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +8495,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +8516,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +8527,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +8551,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +8572,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +8595,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7048,13 +8684,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +8710,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +8721,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +8750,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +8815,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +8840,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +8876,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +8918,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +8929,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +8940,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +8981,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7332,13 +9016,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9052,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9063,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9109,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9133,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9149,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7461,13 +9173,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +9206,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +9238,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +9282,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +9344,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +9402,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +9413,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +9437,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +9498,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +9540,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +9552,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +9639,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,27 +9651,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -7846,13 +9694,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +9712,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +9747,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +9764,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +9779,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +9877,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +9922,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +9934,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +9975,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +9993,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10028,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10046,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10131,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +10151,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +10190,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +10252,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +10310,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +10321,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +10345,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +10406,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +10448,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +10460,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +10547,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,27 +10559,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -8504,13 +10602,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +10620,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +10655,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +10672,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +10687,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +10780,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8626,10 +10816,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +10883,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8802,10 +10992,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8842,10 +11032,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8886,10 +11076,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +11097,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8927,10 +11117,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8963,10 +11153,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9002,10 +11192,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9023,10 +11213,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9047,10 +11237,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +11252,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +11270,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9110,10 +11300,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +11315,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +11333,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9160,10 +11350,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +11365,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +11383,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-naked.expected.yaml b/tests/golang-external-secrets-naked.expected.yaml index fda0917..312ed5f 100644 --- a/tests/golang-external-secrets-naked.expected.yaml +++ b/tests/golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -641,16 +757,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,7 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -739,7 +866,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +895,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +915,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +934,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +945,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +984,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +996,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1120,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1166,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1178,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1189,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1264,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1311,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1327,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1378,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1404,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1415,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1444,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1482,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1517,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1562,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1573,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1585,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1650,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1662,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1708,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1732,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1748,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1481,26 +1769,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1811,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1895,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1907,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +1994,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2006,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2049,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2094,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2143,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2188,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2200,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2241,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2259,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2341,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2363,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2373,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2402,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2417,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2436,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2447,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2486,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2498,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2576,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2624,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2675,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2687,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2698,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2780,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2303,32 +2835,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2880,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +2895,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,7 +2911,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2382,29 +2937,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2417,23 +2984,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3037,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3049,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3070,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3081,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3105,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3126,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3149,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2632,13 +3238,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3264,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3275,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3304,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3369,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3394,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3430,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3472,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3483,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3494,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3535,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2916,13 +3570,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3606,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3617,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3663,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3687,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3703,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3045,13 +3727,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +3760,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +3792,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +3836,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +3898,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +3956,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +3967,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +3991,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4052,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4094,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4106,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4193,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,27 +4205,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -3430,13 +4248,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4266,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4301,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4318,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4333,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4431,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4476,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4488,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4529,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4547,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4582,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4600,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +4685,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +4703,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +4740,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +4751,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +4824,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +4852,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +4884,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +4938,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +4966,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +4986,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5004,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5018,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5093,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5120,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5154,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5179,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5219,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5255,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5272,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5318,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5355,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5376,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5391,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5421,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5436,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5459,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5476,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5488,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5502,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5599,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +5626,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +5657,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +5675,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +5700,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +5733,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +5751,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +5783,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +5809,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +5820,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4755,7 +5861,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4773,13 +5879,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4791,21 +5909,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat @@ -4833,7 +5959,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +5984,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4894,7 +6029,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6052,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6062,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6127,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5092,7 +6245,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5122,7 +6277,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -5155,7 +6312,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6341,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6361,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6380,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6391,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6430,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6442,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +6566,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +6612,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +6624,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +6635,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +6710,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +6757,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +6773,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +6824,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +6850,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +6861,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +6890,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +6928,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +6963,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7008,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7031,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7096,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7108,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7154,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7178,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5897,26 +7215,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7257,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7341,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7353,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7440,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +7452,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +7495,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +7540,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +7589,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +7634,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +7646,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +7687,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +7705,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +7787,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +7809,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +7819,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +7848,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +7863,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +7882,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +7893,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +7932,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +7944,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8022,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8070,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8121,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8133,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8144,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8226,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6719,32 +8281,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8326,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8341,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,7 +8357,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6798,29 +8383,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6833,23 +8430,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +8465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +8483,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +8495,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +8516,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +8527,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +8551,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +8572,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +8595,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7048,13 +8684,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +8710,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +8721,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +8750,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +8815,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +8840,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +8876,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +8918,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +8929,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +8940,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +8981,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7332,13 +9016,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9052,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9063,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9109,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9133,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9149,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7461,13 +9173,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +9206,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +9238,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +9282,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +9344,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +9402,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +9413,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +9437,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +9498,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +9540,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +9552,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +9639,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,27 +9651,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -7846,13 +9694,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +9712,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +9747,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +9764,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +9779,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +9877,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +9922,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +9934,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +9975,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +9993,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10028,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10046,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10131,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +10151,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +10190,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +10252,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +10310,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +10321,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +10345,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +10406,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +10448,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +10460,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +10547,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,27 +10559,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -8504,13 +10602,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +10620,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +10655,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +10672,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +10687,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +10780,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8626,10 +10816,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +10883,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8802,10 +10992,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8842,10 +11032,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8886,10 +11076,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +11097,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8927,10 +11117,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8963,10 +11153,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9002,10 +11192,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9023,10 +11213,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9047,10 +11237,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +11252,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +11270,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9110,10 +11300,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +11315,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +11333,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9160,10 +11350,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +11365,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +11383,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-normal.expected.yaml b/tests/golang-external-secrets-normal.expected.yaml index 3fca772..ffcf6cb 100644 --- a/tests/golang-external-secrets-normal.expected.yaml +++ b/tests/golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -641,16 +757,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,7 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -739,7 +866,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +895,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +915,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +934,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +945,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +984,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +996,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1120,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1166,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1178,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1189,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1264,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1311,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1327,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1378,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1404,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1415,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1444,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1482,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1517,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1562,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1573,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1585,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1650,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1662,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1708,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1732,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1748,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1481,26 +1769,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1811,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1895,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1907,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +1994,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2006,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2049,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2094,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2143,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2188,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2200,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2241,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2259,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2341,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2363,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2373,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2402,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2417,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2436,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2447,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2486,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2498,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2576,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2624,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2675,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2687,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2698,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2780,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2303,32 +2835,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2880,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +2895,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,7 +2911,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2382,29 +2937,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2417,23 +2984,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3037,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3049,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3070,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3081,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3105,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3126,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3149,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2632,13 +3238,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3264,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3275,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3304,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3369,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3394,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3430,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3472,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3483,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3494,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3535,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2916,13 +3570,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3606,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3617,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3663,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3687,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3703,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3045,13 +3727,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +3760,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +3792,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +3836,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +3898,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +3956,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +3967,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +3991,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4052,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4094,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4106,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4193,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,27 +4205,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -3430,13 +4248,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4266,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4301,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4318,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4333,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4431,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4476,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4488,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4529,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4547,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4582,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4600,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +4685,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +4703,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +4740,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +4751,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +4824,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +4852,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +4884,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +4938,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +4966,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +4986,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5004,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5018,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5093,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5120,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5154,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5179,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5219,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5255,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5272,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5318,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5355,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5376,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5391,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5421,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5436,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5459,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5476,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5488,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5502,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5599,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +5626,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +5657,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +5675,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +5700,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +5733,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +5751,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +5783,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +5809,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +5820,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4755,7 +5861,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4773,13 +5879,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4791,21 +5909,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat @@ -4833,7 +5959,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +5984,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4894,7 +6029,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6052,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6062,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6127,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5092,7 +6245,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5122,7 +6277,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -5155,7 +6312,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6341,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6361,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6380,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6391,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6430,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6442,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +6566,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +6612,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +6624,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +6635,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +6710,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +6757,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +6773,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +6824,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +6850,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +6861,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +6890,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +6928,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +6963,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7008,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7019,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7031,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7096,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7108,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7154,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7178,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5897,26 +7215,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7257,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7341,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7353,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7440,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +7452,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +7495,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +7540,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +7589,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +7634,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +7646,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +7687,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +7705,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +7787,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +7809,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +7819,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +7848,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +7863,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +7882,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +7893,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +7932,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +7944,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8022,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8070,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8121,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8133,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8144,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8226,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6719,32 +8281,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8326,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8341,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,7 +8357,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6798,29 +8383,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6833,23 +8430,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +8465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +8483,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +8495,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +8516,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +8527,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +8551,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +8572,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +8595,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7048,13 +8684,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +8710,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +8721,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +8750,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +8815,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +8840,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +8876,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +8918,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +8929,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +8940,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +8981,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7332,13 +9016,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9052,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9063,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9109,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9133,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9149,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7461,13 +9173,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +9206,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +9238,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +9282,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +9344,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +9402,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +9413,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +9437,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +9498,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +9540,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +9552,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +9639,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,27 +9651,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -7846,13 +9694,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +9712,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +9747,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +9764,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +9779,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +9877,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +9922,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +9934,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +9975,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +9993,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10028,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10046,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10131,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +10151,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +10190,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +10252,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +10310,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +10321,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +10345,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +10406,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +10448,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +10460,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +10547,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,27 +10559,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -8504,13 +10602,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +10620,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +10655,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +10672,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +10687,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +10780,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8626,10 +10816,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +10883,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8802,10 +10992,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8842,10 +11032,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8886,10 +11076,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +11097,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8927,10 +11117,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8963,10 +11153,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9002,10 +11192,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9023,10 +11213,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9047,10 +11237,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +11252,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +11270,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9110,10 +11300,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +11315,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +11333,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9160,10 +11350,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +11365,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.12" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +11383,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.12-ubi imagePullPolicy: IfNotPresent args: - webhook From 81574849d0c549aa95b396d95f1a0fce695073f4 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 12 Feb 2024 12:15:45 +0100 Subject: [PATCH 09/64] Update vault image to 1.15.5-ubi This fixes a few CVEs. Tested on MCG. --- hashicorp-vault/values.yaml | 2 +- tests/hashicorp-vault-industrial-edge-factory.expected.yaml | 4 ++-- tests/hashicorp-vault-industrial-edge-hub.expected.yaml | 4 ++-- tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml | 4 ++-- tests/hashicorp-vault-naked.expected.yaml | 4 ++-- tests/hashicorp-vault-normal.expected.yaml | 4 ++-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/hashicorp-vault/values.yaml b/hashicorp-vault/values.yaml index 25740d9..aca2fdb 100644 --- a/hashicorp-vault/values.yaml +++ b/hashicorp-vault/values.yaml @@ -48,4 +48,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.2-ubi" + tag: "1.15.5-ubi" diff --git a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 0c68e83..76454ee 100644 --- a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 0c68e83..76454ee 100644 --- a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 0c68e83..76454ee 100644 --- a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-naked.expected.yaml b/tests/hashicorp-vault-naked.expected.yaml index e09ac08..fc05bc4 100644 --- a/tests/hashicorp-vault-naked.expected.yaml +++ b/tests/hashicorp-vault-naked.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-normal.expected.yaml b/tests/hashicorp-vault-normal.expected.yaml index 0c68e83..76454ee 100644 --- a/tests/hashicorp-vault-normal.expected.yaml +++ b/tests/hashicorp-vault-normal.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR From dde1055d6f250be6320cd0dae0ead70e2ec12f5c Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 15 Feb 2024 09:21:36 +0100 Subject: [PATCH 10/64] Use gitops-1.11 in acm as well This is mainly for consistency reasons as the value is taken from main.gitops anyways. --- acm/templates/policies/ocp-gitops-policy.yaml | 2 +- acm/values.yaml | 2 +- tests/acm-industrial-edge-factory.expected.yaml | 2 +- tests/acm-industrial-edge-hub.expected.yaml | 2 +- tests/acm-medical-diagnosis-hub.expected.yaml | 2 +- tests/acm-naked.expected.yaml | 2 +- tests/acm-normal.expected.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/acm/templates/policies/ocp-gitops-policy.yaml b/acm/templates/policies/ocp-gitops-policy.yaml index 4691c18..a0ed611 100644 --- a/acm/templates/policies/ocp-gitops-policy.yaml +++ b/acm/templates/policies/ocp-gitops-policy.yaml @@ -35,7 +35,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + channel: {{ default "gitops-1.11" .Values.main.gitops.channel }} installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/acm/values.yaml b/acm/values.yaml index 1100baf..fb7cb03 100644 --- a/acm/values.yaml +++ b/acm/values.yaml @@ -1,6 +1,6 @@ main: gitops: - channel: "gitops-1.8" + channel: "gitops-1.11" global: extraValueFiles: [] diff --git a/tests/acm-industrial-edge-factory.expected.yaml b/tests/acm-industrial-edge-factory.expected.yaml index 2210b4c..66c0c0b 100644 --- a/tests/acm-industrial-edge-factory.expected.yaml +++ b/tests/acm-industrial-edge-factory.expected.yaml @@ -100,7 +100,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index f962777..afcd6ab 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -307,7 +307,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index cea5a1d..6e2e98b 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -298,7 +298,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/acm-naked.expected.yaml b/tests/acm-naked.expected.yaml index 5ba9bd6..880ef74 100644 --- a/tests/acm-naked.expected.yaml +++ b/tests/acm-naked.expected.yaml @@ -101,7 +101,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index 55553a7..03b0eae 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -797,7 +797,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators From 947dd22d9878964a9e11d67ebe4b1b76186f345d Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 20 Feb 2024 17:46:27 +0100 Subject: [PATCH 11/64] Small gitops channel cleanups Mainly for consistency reasons. gitops-1.11 is already the default --- operator-install/templates/pattern.yaml | 2 +- reference-output.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operator-install/templates/pattern.yaml b/operator-install/templates/pattern.yaml index 3dc1948..3615d18 100644 --- a/operator-install/templates/pattern.yaml +++ b/operator-install/templates/pattern.yaml @@ -13,7 +13,7 @@ spec: tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }} {{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}} gitOpsSpec: - operatorChannel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + operatorChannel: {{ default "gitops-1.11" .Values.main.gitops.channel }} operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }} multiSourceConfig: enabled: {{ .Values.main.multiSourceConfig.enabled }} diff --git a/reference-output.yaml b/reference-output.yaml index dbb4c6d..cdc1a30 100644 --- a/reference-output.yaml +++ b/reference-output.yaml @@ -112,7 +112,7 @@ metadata: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: "" spec: - channel: gitops-1.8 + channel: gitops-1.11 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators From 9614757f6e012f595d37b611e666a02d1483e78d Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 21 Feb 2024 19:37:23 +0100 Subject: [PATCH 12/64] Upgrade namespaced argocd version to v1beta1 --- clustergroup/templates/plumbing/argocd.yaml | 2 +- tests/clustergroup-industrial-edge-factory.expected.yaml | 2 +- tests/clustergroup-industrial-edge-hub.expected.yaml | 2 +- tests/clustergroup-medical-diagnosis-hub.expected.yaml | 2 +- tests/clustergroup-naked.expected.yaml | 2 +- tests/clustergroup-normal.expected.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/clustergroup/templates/plumbing/argocd.yaml b/clustergroup/templates/plumbing/argocd.yaml index b0977e9..12e362a 100644 --- a/clustergroup/templates/plumbing/argocd.yaml +++ b/clustergroup/templates/plumbing/argocd.yaml @@ -1,6 +1,6 @@ {{- if (eq .Values.enabled "all") }} {{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index 948ec58..851119a 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -533,7 +533,7 @@ spec: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index 541d612..611ecbb 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -1235,7 +1235,7 @@ spec: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index e7c6620..9855500 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -1396,7 +1396,7 @@ spec: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index de02651..194bfa8 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -283,7 +283,7 @@ spec: restartPolicy: Never --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index 9bf3973..f038446 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -982,7 +982,7 @@ spec: - /status --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: From f0b3d01ccdb6bc0b11c86bb48f38546ec48acc5b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 22 Feb 2024 19:52:01 +0100 Subject: [PATCH 13/64] Stop using OpenShiftControllerManager lookups When applying the policy to install the cluster-wide argo on regional clusters, we do some lookups() on the regional cluster in order to pass the version values, domain names, etc. To get the cluster version we were using the OpenShiftControllerManager which is problematic because it does not exist on hyper-shift clusters. Let's switch to use the ClusterVersion.status.history[0].version entry. The only smaller caveat is that due to limitations in go templates + sprig functions, we cannot really take the last version only when the state is "Completed", but we simply take the last version. This means that during a cluster upgrade on a regional cluster, we will include values of the version the cluster is upgrading to, which is less than ideal, but it should eventually converge in any case. For reference the function that guarantees that the ordering of the history status in ClusterVersion is preserved is here: https://pkg.go.dev/github.com/openshift/api/config/v1#ClusterVersionStatus Tested on Lester's cluster and on a local cluster of mine. Co-Authored-By: Lester Claudio --- acm/templates/_helpers.tpl | 4 ++-- acm/templates/policies/application-policies.yaml | 2 +- tests/acm-industrial-edge-hub.expected.yaml | 6 +++--- tests/acm-medical-diagnosis-hub.expected.yaml | 6 +++--- tests/acm-normal.expected.yaml | 12 ++++++------ 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/acm/templates/_helpers.tpl b/acm/templates/_helpers.tpl index fdd9127..910b397 100644 --- a/acm/templates/_helpers.tpl +++ b/acm/templates/_helpers.tpl @@ -5,9 +5,9 @@ Default always defined valueFiles to be included when pushing the cluster wide a - "/values-global.yaml" - "/values-{{ .name }}.yaml" - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' -- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml' +- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version -- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml' +- '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' {{- end }} {{- /*acm.app.policies.valuefiles */}} diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml index e2e717c..01082e5 100644 --- a/acm/templates/policies/application-policies.yaml +++ b/acm/templates/policies/application-policies.yaml @@ -68,7 +68,7 @@ spec: value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}' # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}' + value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}' - name: global.localClusterName value: '{{ `{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}` }}' - name: global.clusterPlatform diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index afcd6ab..0759301 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -218,11 +218,11 @@ spec: - "/values-global.yaml" - "/values-factory.yaml" - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -241,7 +241,7 @@ spec: value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index 6e2e98b..959fbe3 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -209,11 +209,11 @@ spec: - "/values-global.yaml" - "/values-region-one.yaml" - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -232,7 +232,7 @@ spec: value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index 03b0eae..87071cc 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -612,11 +612,11 @@ spec: - "/values-global.yaml" - "/values-acm-edge.yaml" - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -635,7 +635,7 @@ spec: value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform @@ -708,11 +708,11 @@ spec: - "/values-global.yaml" - "/values-acm-provision-edge.yaml" - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: $ARGOCD_APP_SOURCE_REPO_URL @@ -731,7 +731,7 @@ spec: value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform From bd9efba00c0822b8a95b211e7ad44a57e5936453 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 19:41:53 +0000 Subject: [PATCH 14/64] Bump azure/setup-helm from 3 to 4 Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3 to 4. - [Release notes](https://github.com/azure/setup-helm/releases) - [Changelog](https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md) - [Commits](https://github.com/azure/setup-helm/compare/v3...v4) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 39aa63c..39843f2 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -34,7 +34,7 @@ jobs: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Setup helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@v4 with: version: 'v3.13.2' From 48b2e11002ebdf293cb7fc396f9fc4e9ebc34e9f Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 21 Mar 2024 09:47:41 +0100 Subject: [PATCH 15/64] Upgrade ESO to v0.9.13 --- golang-external-secrets/Chart.yaml | 2 +- .../charts/external-secrets-0.9.12.tgz | Bin 93006 -> 0 bytes .../charts/external-secrets-0.9.13.tgz | Bin 0 -> 96126 bytes golang-external-secrets/values.yaml | 6 +- ...rets-industrial-edge-factory.expected.yaml | 409 ++++++++++++++++-- ...-secrets-industrial-edge-hub.expected.yaml | 409 ++++++++++++++++-- ...ecrets-medical-diagnosis-hub.expected.yaml | 409 ++++++++++++++++-- ...olang-external-secrets-naked.expected.yaml | 409 ++++++++++++++++-- ...lang-external-secrets-normal.expected.yaml | 409 ++++++++++++++++-- 9 files changed, 1834 insertions(+), 219 deletions(-) delete mode 100644 golang-external-secrets/charts/external-secrets-0.9.12.tgz create mode 100644 golang-external-secrets/charts/external-secrets-0.9.13.tgz diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml index 38549d5..a2a2b06 100644 --- a/golang-external-secrets/Chart.yaml +++ b/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.12" + version: "0.9.13" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/golang-external-secrets/charts/external-secrets-0.9.12.tgz b/golang-external-secrets/charts/external-secrets-0.9.12.tgz deleted file mode 100644 index 368cabd9034a0f823297e5036e4191438ebf7800..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 93006 zcmV)IK)k;niwFP!000001ML0lavMjsCsX}hDlk?){Q|@ z(&^Z-!%6@}vdlsic2$8C?e=5M3(S*!YpuLg);$v_fRvpX=j@h=th}tuT=$FrCG(Sr zg~QaJC4QEUzv;g{hW5kv-{b%8|M2}|{eNZqX8+mu&-b4_d%pi1`t3j4fByIz@B1yR zrP5Yu#uCr_W)aLT{m^gh*Y*2X+WhkQA6&8|8{M)+*xMXfBOCR zPk;CU&j0!T;~&299{09_mi8Avf3^%h`biqZ(F^bT$pf}r=KuM4^nZ=^pFEiR=`0DB z8U694xGx^RFW!Ph?80C8QRbb;iT8Rng`fS*Paj;y3;%_8nPtoL#dv%XWS6VyXcjNV zl`B{N!-HUkQ^`*gb~ECiuTnpOpE8)uY^3pm1<{zLDgBtn!!W*p|HG0Cf3%D)9$fji zH*qpgUpyFkS8D0Q%7TWT{1^685PJCk{OIkE_W!TZDgBimUcyKKz7pJq~`Bxy8 z`HN-901Ew40(<=beE<9B4*&0>wVeOE_h&CpN7c2E|MyRxmGJ)$a2Fi@-$g5* zzjw(}Z|eJzH}{ueeCyA>bTym#X?ng2!`uJk!Goj71C;3}UKT^giy-n=X%Jl~%5cgD z+VgJXm3I?_p%?iu3iJjn?5&m_^LUrjEKd9fKr{|QI0Qe@{^})wtXIj*_Z}ft@xL&* zl>VMKz4f3EAVQdrc@MAID$E}0!+ke;@Zc>D5Jd3df>5Rh|1Z1ry?Jnc?k7m85UZwM ze6D|)dMuiIm+=j*6o|}uaIu1M;KRj(8H-@6K;Tx;1vU&z^Ij1}dg1;4yEo!I(?5XV zd4K%zU{jR5)7J9-e}VhH1Zp$NmYeZ{?eBko|MAo3#rOZ@@%N9vckh1}?f2iu|L233 zUzT|J@sS`Of-eLAJ)>*=;Qt)MrT+c*Az*}a;BLG@`Ob{+qk%WfyWzW(&*B}9IQq!K zmCt*=2Nos?=DzoDFH2U@%zOTn{uwMzSLf%!7jG~ecw#IcmW5A>mU)0r--m}UXCRd1 z{m+Vp!Fd2U2KXe}!05pzpN~!bGn@f8gP3i`fQ$4}e5*OL%C`+;gmb_H@a)525o8=| zWtTzfJp#;wAUS+@ihU9Pq)UGW=;r7gkX7ijRKO1TQ(yv94n6+2AmfM-a0pBe>x4;Y z@nW^z5XR0$CuqXW@^Q zi(4kZb)S2Kzoo;!rGwH~d{Xm!R{zh!?bD7G-;7|#@kr@t#XaG@LN@h7ljEiC`Pr8D zq=TFPTZkaAp9IJ>1423Y{|&ssF9Z8W6)zSr5G^$|SSs(x*9r)6F-kATw0t6kK{N|j z^Oh}+_##?5rf`5WpvZ5;L?i7siQP|>l#0K>s~_dU+bD>~N=C|wv-Ziq0b|6OUxG$; z6fWA%htpd=ki1!^esUem)b}^Q2&h*uBWUuai=Afizt|$ow^4h)ngKq%@u!z@e6@AJ ztBKqJ)WT)B@ZmYliZ5V&fYxl6kN?6Ohz|!l+1|`gvLT}BBo0GA+5SB%Pw4JjD}3zl zoe_ZB?q6wu9`7L#oKvwHbCOeD|FCxXT!YqnML7r6uzg@sG8WDJ;@RtbingOpY`ujw z%dxk%_O5%=#~w;^Y_^x2D=UjGsd%z%HUptOLp~nZGo!mkA5Qpp@0wWdVz<$Zuc9OX zJ!*zX&d-m&YZ^4tx2$oza`=Jx$G~WScCNNB_-Xgw2#)pL8{pYE+n{Sadr+DTv?GvK zpQRCK@w0=buZ$sFCIyDW+XLKUyau=*0tQJI2tx#SumD;vfV?Mg6N>EsA+E0k2|Q%i z@hUM9&}g(GnCVX=F@_|{x#adj3U9n0h-q;e05ZMx9*I9?>;hO5B~ugslyfcLm1n3x zvpCr%Gc^MCuC-IHZM(JTf6II*Hwd7q*U~+pOaHt7xMcr%^6cqTXaCM%UoK>hJc701yQ!?@+HVysxcbvPlyAR&0iw?VaUe8M;$H`NQ2z*0q#18e z@!dW`wLc$8iVJ-C3zp3;-)KO#1#?wu&4KWo&nR(~m{Ge=a=Ny|SjO|pDPXIdM9XRX zJ^xHQ5&nm;u=zf2nKqlz_Hy~$^UOC=*^0biCbJU5aSTsYn1S0f1IXklo^6VI%sk3qNcG!OJ+!-uc;0 zoLseSNb8n=D~vki=p>gg6ga$!mrXBh+O+M~t+#A{|4H@g7hs^SWe4dI-2bC_Fay!0 z#6AydG>!xDMcX6!PS|H^mV>Y4I0i(0+jcaZw_mEh#erCIk?K$y(#g~w%+MPSXUTk+ z`2Vx=SN;&B3b@8B{IQJ+P}d{Tvp6-5CmzBOFU5~GbX_XBnujA|{$o9fuUQAq(%&-F zXjZEbs?{Nz&yyctG=o*CdV#q55#WL(s}6SQvoO2-jStp#L<|I8KTVI5cxePf=8_J;~7>~j~9*L_oF-lc>>jE7dL(@x{%{e$A|LO4=cDJ zVbO)}{jV$kcF+4?*SH-tayNhmCP~-?9#s(_f~=p*0V?|ih~W(I1D;h~FR?@+*EfA# z{h*A=YX68wm=>|+Fvs7=anj1{b>2ssB8jtj7KbmqvxDQ(Z^Fry52O87ylBPsq2KQ- zzl7rXPTCpMj=M{PuK9}> zu*JHK*Q_m4XXc$WVWvkO>G5p`M z;HLd?%abqTFuu4wT_PTVA5u8gpm32JyKKC$<~zCsQel~ zFNM$qudgy*l02I$jgPC7^s7A{F6Yzxph1?JwhlyJ1M@`?O|DrGB0%}_^uM&Cd!x|` zv}ldxu`eGYR$5@;Z`Mn!8L_a)U8|$NPJ(EG|C1@3trZyDf&ZUA`Jo*D@pS+3zQg~! zXq)1Hx)jzX!eI&F(|6z8*%WXtG{#4PDulVa_Izk{N62xTfpSWD&&IU(1VS> zO5)X0Ofd8Y@E068!p)~*rvv)2B#cAf8EiXV$iI_=N*Tj05>^)Y+*2 zxIy%%{%f@a==thDm-5HjwaynoiVIErivXnFb{t+n{7l~${m4o7RSjvh)m9(*rv{Pl|WFxmf>)?0jBr~ z{s6b|t3VjA+!OyC$CR*d*)8;{qQyS;maeA10-qyLSNC{!hE+QTTkf%FgZ)Ywt$W%m z_&;&7_AFqR{Qu*N6|mt-?_B9ChidnYD}b5o z$VKnYb}~|i-`wSLG5QH17QZUM~jPPgg-W=c~EaGQI9U8$DL6Rq@fMBls2_tKy{I z*H#Lq7hGxC(OYm_`~qNtu8TMcawocBX?9HyI5{|(&<|(o2h?r9uKDo|{GH3R;VNNa zWlQv1dI^HGo8WQo5wd1PuGUoBUK1= z=wJJxi1;4iMIBN9;&4Y143>(aJQ$kCfzKOu#6iwCG~gf2Yr`!QSWl7#W#3#4Ef@aYep%?kz#S7YDtwPA0ZiOk zO!i6lkLN4^Kma7+@ZbzYCQU@DUQ8x}QDtxx*Gi3qvF8GWm4UZsh-ZVp}=TAlPC2!mN379uvhjZ6&4 zH=Cac{t3Z&^78a7&zMT*#*ZlPS_2_@S_oMH6ee`VFOe|OsM1Wz^Vx*~(%W=3T?83k zi~j+rXLyj+fe(m&6FMQ2-n`lc9^3(-#qa%P&vcC@TK#WhX99mlZfCIbmlO8f@ zdfY{1ehMR~H!9N73d+h8TyXqZgV3@0ql=OJ3hjrueVz;xuGGyX@UmW#lLW;3)niEg z`uy!iSnS*Q8g&T%O=;LBl!gr#TK#MLH`qkpt|LJ!>N}O-|F-xILLe1XQ~czq-^wr~ z8b*DqKr>r0Hc8r!DtMuB(MRXr0tjue3~N@2h$4miAIY?(zPF6$JPk9FO0H+8zsHf! zvo{mLZ<)REL6p1HJOSB+F6kJ?m<3DV#Y~RpwDggFJ~AC!{v+^~1O*nRTRJSxzY6<& zQ|o%*dOOfPVmRN`ymG<6q)3Hlt;6b&py)WtSIvl&{Ky0In!sQR3Yvz#rk?@{t{SOt*%AQM9nF%ObD zGF@#32qAAI`PhQ^tdusZ1TR=HK83^wh9#j#vz29YgTR)qM=t4$J+^GlJGzMYGd|~k zM>Y&D0diO~ZUP>1320RMZ+YxxCa1m$iV;xA%AHh0HjXOzC0G;N9B4y0jN>ql z=P-`LI2&}6x3~GQhB?2uF4v3+SHhUt2{oTeAL(4P{B7G}P0@7RBgcGN9+-q|UihIV zzh>)Lr1KPNDyjCo0Z0^(KfDV9Ng1krFwkr@2clF7y013d*FF&gE8uVi-)ETcGdx!o zEQrX}CnT-YB$V4xeKu3NY0SIv!*F;Np)NMJ;?RtwkvKXzop|scuMUo@7qW9|JQ_}r z6!=tK4YowhaW49X(g4uhg3MnSP;F}*!;*xxZ^nd7b&x3iEo?xlj5lXYqHHhheIreq zk|jfkb`ue7+C|YOVjYvop_;$` zV&Ka?kHav&!AbJ9Vv!*gy}IYIFva?4z6YFgo7VLr9%4>8cq5sneN}&A)JcO*I=YCz zeY5}lliI~;N4DpEIDLgWTl!4=>EJSmnE3ZAKUuJ->3IEUwWzitxr>`!|U&O_vNJub1@!A0aK&BP!3)D9nr<}IG)0d;AQScbc(a2n8wOz6WkuX z<_->d@@t~*WC)dvf^KQp;|oT+@EDE6@<)=KHN$KDYY@4^fJ?d#<~8P#*e9ib;xIV zvA7*-|AipiLy*~j*07LN*qRCWb3cQ1Yj$V+Wd#4{3VnD1fyi4pMzo43<8n+89ot^A z%#T=;^0&yf@Q#OhIYk|l^Iv&gNI=KBNzpqI)RA^pu?67TX^C~0p=IgKGyD;lILszSZRZ4em_j_mlsf4@FVC{>3c_ zh?=XAa2t}dH(ON8F{MlS+sV52g+wu ztl~k{VH9o%y#y8_%L9E5Fkxho691aU(J@gt?$qcPHgigTj(Hm16aRcvQY7$m<0ZJu z3`~i6s?H|3^s}I5Na^k=Q$yR0P7Dt|I}U>Mzy9OVe~$3GAAcO2VA9sXcmFMV)yxdP zw@)X1ai@S|Hg(0Vy+$ZZkb;i8QA!D_{xYFArq04TcTd%vyQg#a{4=?G)*_37izn%i z{FJ0#L~x`*s{O1C!8V&ykuJP#*jHt_sI`C{JQ9?l{0X!a8+Zmo2Qe&Pu6^ zMhd$PYkhbtmW#IB?Rwgk^M$j0*I-j>wIj8ksWO`AMiKdGGpA(%geu!&v;}-_inbP4 zu=%xYdLWgR9OC29pRY79#2A;7-S|HDzj>|7n@ZP`EB`hnVFQ0Y=E~57CT^Iw!&F&V zRuLW>Ez)~L>>e&`^nb&D|3BZ=ue#YLW@Zmh{6(Dk9lip#ro|IEXvu)XClfcG_9MX4 zF&_7t7oR;6EYw(R@OC^JeTOrg``PTW-9~8cGM0;;$+Z zqmDlTOZNPkMb{4}Z;W~y0m$O4jGQM60DtY@N^uNv89Dg~mq>}d_Aqv2j6t zl24P+rqQy@FQ?IP*pU|0=fOy9ZF!UA(-k2!OnN5F)PRyJQe=_KZjVr@2zPAx-5%-} z)7295ZMBBnSnuh&UNx}xmL$5b-O;wTVdf5lcLJVrYac^DPyP~KcOex!mg7_oTHv@4 z`2gPG{DWY@gp!rV=yY)&q_RQik9gp7P#BlEw>-SZ063lJ!Bq=A^JAxSP>-QIOiJc@ zxPj>Tk-!b(jtA7KVK(mZQ}eI<)g(3-(2m;Jp3T&gKl8N`24?J8brz z+^@9pHMW-J6MH;gw9*eXIWZL5Au5hg(>~_{mc9?^U>Bg%1A6FiGD=dxfBm8Oe9_cglPq7~@jcxRk%4YfwFukr3-G_oPv)ljt=+IC)}5 zGgyTe)T<*cmrmNrl8dHr20CVGdJ`w}y>dPZAm1kU!+JZWVID2p(N!6{I0I7xhiypb zWz@05Jyc()L9i9~P3cDb*h=BLx~)l3KaQjIdXQ2=uF>3dXcATnhzcZXlXUIQm-+#VGFYH|PEf3{TjD!4xjBn>}pCPBFo-t?VGy%j!A?g)!Az-*8j)X$2 z3JTiOgZa3|H9@OJa*^u+@(3azUw*yYc&GN&3?os>&RItcs~r-OGMpGXhX?F-%(>zv z3lafgO!|;^iwM%0_N5qf9{ZgC6H;F;9E=n_0UlG7RlA(V4{Yk~mb0Ipd>r%_#J|5^+S4IRZb*+F{ZB{4=_G7OuG z(Yr9=Zk~jq5s2IiuN&kxxex%+cdygVp>C~()Es9$Su)*zUz#DjlQ&6_bv&H)sIM4W z`YXLA{l|F*+{=ZZNmt@U?*1$KNgk(TmbX&Va3ZG3FOf{kEMt7pW(hI}#k((;VIVUS zhV0f)q~gVUbRHxr1%rkx&DvF>MtM7Ikb^mDSVu`*J`pl})v!NimXb4WenI%d8KN{N z4QrIxbCoSul;n(wU5!rsWyog!1UjihGMUN_yGom}S>JZr%PmZ0_{dF-4&uc!z#=t< zQ(0=hWzn;~cEU$P*h0-JLSG^cE%y92=~{>|TZI&-+%CD*H!3Gx>uwv{#Jt*PAor`_UVyM6%O~6C z5!Whw<`7Ob!>%@-)N#qV@5vLB%jx&sSn?)aNvgK&0;Kz{q|!F3?C>4KaI^A^7q^hC zxd;t|(_r)FoaV&__mn%Qz(twGi>at?%}KO0fWX3tXGGs3IY~?pxnp!qlcd=~yVmpx zlbofsfXe+8%4-V>>X7clnr9`i2U#|RXP8Dc9pWjz+18=%pC8paE>c|+I2WXv=3J1R z3zBm|>gwxUkW_OnNO$Cd)Pqxy$oL?WIyCzR2~xJ-WUMs3<0r)lrTLmIDB&rdZ?M1= zq386Zr58B2-XaU=u?tMar}SI;RakZ@xjwQmnDZGh^qh}6h|2f!el zO}zIvQOhHr`=PJ*KEVWvP5G})uUhd1oN?Ws9t>2Cv+jyl=k1JARSMmD9FhJcS1$UA z*PbInHj`&p0%Pmd6X?Dj(w3Ex3ezj#C94nx??_fP6Sy)f=-doKp!9e8kkXU%v)}CB_=)FbX)Q&zKhFc?yQo8vj2i*ENcu(^aJ}k`Nc*3;IO;4CFeA6SQ z6?Ywt$?bzB>w zZ8|P(E84=bs;CUuI_z0q;RZE<23s#)F`RuQ{TxU7no8_YKQ!1(i(ksaD|GJ?c+8su zvy8QmvOGnZ$oW!QY#+rg+A^xhww@!vHY!f}(FFj>P=lus6)KU;B(+dY(ALLNdPgF<;4P1ylMK)S<3&3vb{48*OS zy3WG*+EBEJneVbjD#^Ip(}vAPGb2A%8*k1Orni>NLlW!Aq+<&EsKjD~bW??a1m;nw zsn61D2D!!x-Pd$WvQ~0g8OGallim0Ao9nbR%+a-I!x}zz8e5*O{w*`~7PPg(8?SoJ z?(3|GH^Tyjdb9SfQ6Gv^o>;C?!?Yi}?UU7J>ZMz3!}TV^57G5*63y58eog4wc_idZ z?TRR8Dt^>mA}ep^c7S|*3y9gmYRI3Xac?7iKQ>EnhOmsJSrcD3wlP#vqjIaf zIqc`KU(1IM`&B=3*st0w!D-{8o5x(WSw~KTw zST?(Sna2zm*>cMt@f`D54+9mIv?H+_az7%3z-tEzkLLU@WC)+UJ8bqaw8>Q5ss)?0 ztW0Fdm%or&OSyw`M}R%(00@1LmwJqZU$yAmGHv2hl>!wjkDoUc9gxk8;pk*93b47# zL-siw@DH?6?&K`C&b`O$6Z7lM@Xbjm_38AhAfHz!;AitN<G7v|OdWN?DTDy7N|Q5+3{Bh7AWXAp3N|Iop>_GDrrvb*qKc;yk) zbI!f_iZ;w-)w*ETF%RizF}|iN@3xU3VN5_xD56>Jr*^(`sE(qsQxE=KL?hnpw)TPP z^U&7D5x;Ox{~hr=-LOA+o}&>E4XnQu`i0*_6o@uV%T!C80*?(o_IY_qc#b~Le2KG` zsp+0~a~Y?cSSTyv0RC&R*J?=7AK2h18tkdm`h`cM$Qt>44CuGPI)r%>Udi*m46l^q z$`GJ56c;Ls7c~!5@m94Lq*xf`GDhg-Um!)C=2~?ng+jI`m-w? zc4$iBENYLXQL9BdN}Za^;_&*VrS1lWap=2(tv{afN~%59#>uOU)g4yL4e93h;6PF= z@wy3mtOuUe5be@f=Kx*gYv@%fu@!&D8Cu?02QsREV{25sd0F{HvewPs8mV%K5P_M! z)Vn!n@Q~;4%+ce|^nw1wnecbk{zQ0?51ofs0@dnVYs($)exzy_xW-lD7y0}1(!ycD zWfU{`b=#o7cR!p6g;+p^=kUFDsnHT+chQM(J(Nx>lw-Ez5y5e9&C0F{AM*vLtsQx50)rxr>o+ znp6U3gOZ9Wdm6?wp78?}CwOGY^sCgsBF_kqxk~(V;29%SQ3G?h#1wiUIDVGV>Ys%- ztE=bj>UoRi>UsZp>v?M!rn`!FOZJ}*{iGnroq}(J^`w;Ank$%-1poc=^u4ZZeuNtJ zs~2!=7iicRiT^zaS(+l@tB-v~9d>CTN~Q!mhw~!s8Q0k7nUJ)uqpTdNZo*J{ z8dw-f<`lP8v&jJePPlzg5ilrsu7plNem?Tv%RpO|H-4c)_-n>C$cD5CqOLBTb z+Yk=N$oXR;I_FzVIc!rIzMtMkGnEi^h3riJ(MNQg>dKd3;{G7l{OZ$W8GJZ-V;sAt zmh$QoQa|rQ5|-=#6>FDMHUfhhfJTO1w#qK~>+MKLQ(QBArNf)zS#_H_4vQFVMy@9G zMC3mEh_}m4b+{6%5FUfTG%bR?Wgnt6wCxH`4*5`2b0d@kd;7)8RyK6%EGkHy-f;v8T6~_{qxfq zMM@gYbY6VjICk-Qqkjz(kWIDVN$iDL1-aLn(OjSDk$jfc4B_TVGa$*5IRT6Hu<(~D z>2)BlgC+$ja`BFwO)y@PI6FKfSV#;j0d^?JB)1_AFR3K#XVG4E8kTgVapNju2uY`HbMA`0_ zFOSc=CCFPj?xzLRx*Lp7Ga~sVY+gbAx*Gt~Sf>&hFoT|Oo-9wQWBR??9;wU)glrE| z939X0M|tX}7JgG&5?RbhZAOH01|0K*>8mE(=(DX*3AUOCsEad>o?7>@PsBu}1Pq^H z0iWT;vS6XY*UNCFvoxNl;cx(us6e{$!*F;N#W#^=6``3a`{~ii=>*+#UmYBKpW@^y zjM>~fLYqfWD?Hb?j2s`xD_4S79VlBa{bWbjNe-$=*u>$sz+*9;1nIz z`^!*0+nn!)ac~yI)O-a)CD2H+FfLUGE8SExS>y-{XXwv<&-)C+e&$A4`Aj(uaJnmp9UXRb*l``~ zc+3*Ewc=zBMT+K7WK(k}(smyXMdst&b%IBuZZr1NDwu^+2muR~ z&%J|*H>EjL9^7k8CxL>0?sUQp-sG8$I2elva;Kn9y}Zb;Jt;Z9c=-PV>1gwhv$Nw< zM50+di$hY;lM3D!X+Cb@$}D*GW^D=Wmj=U~Dm%i_&fc7&UL*pzchr~UWiVfO)7#dh z=SEj)#*SOOv1F@Y9p!K()$93j@!Edo2i7vJu}4ie*{bY-Cu|Yn{76Y)JMz)0-606Y zhW2=fKOG%uo(3G-4w}Pg^Je_2O-Mm22@tNS`QB{(In$lHSizT0RYXx#_x2x!b(7?I{H1d>I@EKKH5QFX|xThDDaMI>VCjw zrnELtm$$^0>kDe7GA7k*%6^M&U3FifC5CwvGL)bUub(6d-Q! zjewy+PYo(}Yoya2v_gH}WsF(lhUvi!^b)HUkz%O!wzeAL#xT0{)2W^M0s0Hn zBT}O5TnEvCK}a{DM{{E!J8HuzAkN2I%aYrQtDw>od^+v23P=S%z}QRYSKP&#NAPP> z5f5^`1%w5J?>b202vg^Eh;V)$aX*h|=?JD6u?71rjz+V1F^1WOu$kcnX5!%y_XynK z#R?8!EYA_nX$U<>m)RoxmK&cj7v4}?Tn}oQUvE0AHyCJT;5zY(RqK4;t7y4-=t{-1 z-{3y(0wzqF3z(3rZ~+sJ{k-?==iLWP+QX;s(7QDw~Q@RY+- zg|#|7=xth>i0SYYXww0gUmBe^SCvoWW*aiC6>WAvZ9fT=qycF ztrCXOT5Iytw=P%6ze>T#*D7@wBJt`p_ur*tc6yS#mWjH3|D@kvDnQcFnZjIrOsA`| zDc852blUtjwsa71T3f08+bZ#|uFVwN*!T5EJLNWhg9VR!Oq;m7{DZjo5j<}h0R-K| zZNNy=-GfYMtwG9~r1Vm?sM;8#7HDRq#u&Cbl`yhHx0iVI0q49EWi> z>V_zyE7gX8#fu6jX37bgI6F`*k`zdYRV?{72p|J$xF)_<;JtR(^3vR@lx@eY9Ad;% zaf<`*k=Xusn5SLTgf607U`Zcke#DRu+*2IkUIF3PXRg;K=EBfiT7L&}Ht~057DkaV zxQKF-?lPWxk5b?F7@H5_KZb$m**2w_lxBR|*uAuYj^5JTZP4B5WynppGxCL7d35eA z;9QAhR-lZ+d==1p=n6xnShQLOn9De)JUz+sW)2=Uuk5ruu$K0@#)YAEEJ|)x(i2d@ z%DU8_<)iLHYBP2uu{Mrw+i~O$9Y%U~6ftxVu_kQY4j~&y5BKH(vgH_JgA04#_@PaC zq1}e?8u3Vywwq@T;2#_o^>$K-!qt#6o>YLgOuQUE(gwo|x!r zCFK1nhWzr zqPztXClK^M;#;;f@a@s67~0sXtwdZ4E7^5@eZ379VCuj&#B*)u;cTSHHkxemQ1M2u z`$#Wl%d}BgDZEl(i%#EK8B1Qp@kQv1JOsxf%h1dIu44l>bp8h@^uS>oyC2$luRGrs z!>{h0B9w2%`L^`11?SuHXYg(Dyql6{qfb;R!2Cv(2JW4U5#w(mrHL9FcrXN^S%P`X zd@L>s%AmO@C>I6gqM$rS3rp?pqo8bJ`%9G2{0oD`RGL3uPE7h?4~)7kO-N+n)+?ea zzeU4KBK2^1QAJM7&9rabQhAVtY-%Q!2iY4owUf*FCm&f7uxaS0cO!$BoEP~LhYO(= zsBvFpa^X_m>ciG$EG64V!BK8Fd)_JkwngZ6dE1@T?WFF%IH%FS)NN|`Gs)$%brPM+ zU96T|lTVT)*c%)5Ru=X=%>Q1pPL@a)b{Tnx;-cXNl1W`S>8D&SJFxM!P_gK}U1!N~Jk=#jz`DoUeslN&8|~ zgf_#*w?`-fMM)S0^UG+yi~~4c{2MuY=C$Kz@^C~Hr!tdE?XN^5_nS4iT21{V^0Q`K zUVzbS)!m9wV1*C)qxedAhQiWK^cf5GMf1Ax_S?D!k!e@sI8NwfTMM6@cU!SCu85y#j=O4Vj=QqmhvTmDakiKSNugnf z9I-j%XtouH9DCS;Lyq?vIa;I;)h*jr+%buNsX&Zn-=Lc4KWly3`bn>yuUB1jzFyAP z%lUeFj;@s2-TQhOcg;+^Q3}_Biq-PyJNmd16N5~AkA!IIv&2u<^O|vDiRZ);Czfom z1xG&q3}T64O4vo5`R_~)U1cW{|1h9(@Kg9-nL6OAcL{pZhyK(JzDyALL0ib0A61h`{Z9@hH8 zo8ESIHNLkqCTk>HZR%m6Zk7K9-fG0cp|}U5ARb>o9z7fFkC7gazpd@C&%)&;+aDcF zM0WU0Cy zdnnis4hVa_Wy^ud4!ZM@$tFEI4Lhr4^b1CtxD_KwYH0GPjEQiE2Pig0E^`NnQ8(q} zU-nF-@~w5k-T(sIb{L5hHftu71>n4=u2zmB;*(xecK4MzZhfCqeOK)_;pp7+7t8E+ zFZVyrvnvXx&5`$h$+NqJ&=1EirJKvY=zLTxnvVfp!LSJ>Cy}yPx>_#7K&vN!m=2Ji z4E0ut2FX{1K3B8u)Sb5E!6j>XVFfLg;)P4%)deQ?2YR0c*M%e^eP#ka2f+IY!oXfJ z|8xGW^gPpslf->;e1tH*Mtu(OGEObw)DliD;nWi5t|S6^tRp`i^G`+OfS?BnJWxbR zr@=*pu%}-m@A&0gA<*u*m`I1a^tC$N<#1Q2d+%uyG|tJOca9T#v)*A^(^)4jswPUE zDcmZC@ZKLB9f~+f;;{3i2EFCu#c{2c`avv&MIv^dud*BzA>1K$oaNRedW3Wh9KapD z5H_1C@MrO2$&zg0w~GZfDCHm@QeGHd2|$~R4y7IVg%rETtMsx{uVi#sel$yNX(Jsz zt2SGHsSheQP4`ZbV%dQRv@i}U(A)_mlsw#BSHc_;MMb0%^SLInhS5TWLg=4o-ZW&< z71tJ!9s?G?!YJ$@Y%gdq$C7i4Ao7JOS=TI#U^#FYvCu|H4n|b9&eQ4x4I}MN>qHgJ zLffI4)NL3HIyxXKGp*`yB-l06{?e&y(@SJo6H?TJ6fcB-EGP)a5oRRBRcLS(8eD~j z&aSRPgR9VRuPQVUjyFcbA0FApQ3aEPzK-Vd>eG48J@P))48A1|R-eYDC2K!?*_2Tmz>cf7Rr4AuvyNdo0vl8y zoXZ~Gl+CWNvI{(s1yZlpT#R`GxY8N!At&*|8;HHMbMw4eX`pb>?s~`A)`1ZMM6Y}^ zmx|&pXc2ds`dMbGzg#UVHeen2k%`%vH_P19>*gaeg<#SD`-)o^l*2c1_5j`tt34DU zE8b~G8M?gHdCQwajSJ=6eY{BmM(hF1Z=9(r^W1o#DJm@7dKBX%vp6vh0C*`JS#bb3 zD~q$TI4jFtiy5;0xvVV6kr;I2G}fS_ndaVNJJxw{46Yc@jZN~9dY#GI6b73^ zon~8csI!MHIMjKsQKxa&UvGNn*8h1^%dB%;r*Y^?z5CBkXCi%q!i3$Ed^#JyKRP_v zIzOI=DHTnETTQ|s<4nAoIZJluQsk3vF-D`XD3l$0qRh7$p%TYI14wQBXPW(l5Azuv zkiY7DMGC~ZrCSgl)Ne|oH);8D=pkhM#WGH?{%sZV#*-Hu0vg=~R3eT!KAX=KzmLzR zc*ZM~QD7dvGE#&KPlnHAiTjLX5YeSlpPG(;{}LDZUzR~a7y-y+9L;xko${HzEFiW8 zxma9+@y#-xwB_wv+$`hidb@%9k1+%D3PV2)zn6jfL6kjzW_4%a3;&|kpEPf4mG#6{ zm(Dy#!-Q5e2_n-tIi?Yq61F#mjV+4BW{qYmyR>*4*mjm44%jH#xr*pqLR(_PH5^0 z6Mb-%+3%czBlO%aSRV1b^3=rno4Q$Jvq8?pw;bCtT{-A?!+X^qNIeTyVy}#*8{`}M zsyMMpDf4hyS;KG5iR94IbhYqD@D=@K8lY~E8BO%MN!KGwo~1se9TI7{;xL#6W=gVq z%CrfO;0jb(3n-9NGj<^^hu+GNLheP3njpqWa9%)Aq?L?U8D|~MGFN{lT=Q9m?T9x_ zGsKZE$(EXeNBrV1Q`pqplHcRBsV&q?TPHv&&!K=DrzB;J(^J-{*Amyh$c6%ew~%qT^GL0^MNVdGVXbGGbTfAa>$G}7E)!Y%~+82@k+Cv*5E zNDOih(H7wfy*Zp5Z{3s6+9rlD-Hl?VZvQ=5#c&h7D`W1XU%t9~l1o6K8cjwy{-i%v zx7nxWu#Bd0j{HuFcT&7#X)L99NnE#uYCnkaxhn!8H$sT?w_2=NLWTFrBVh}%)barO zV%11mJvF7EMbuIFw4FDDCx*X~vYn>v)84gCE_1{Cc+W^pk7Q=|b*XwGEjy}8Wq3XA zBPr>Fj94c@?5EJ7NdZ2aW5OZ?S}DFMFVrW=$TbUtIg$|F4zDL57tpGuxb&_QWq6LkohC_iP0(i<4 zzofM5X|*+^}SR1e67yC*axs()#~g9oozMFiZuW!m_-)3jl@9hwL2LgqtMD zd>Oo#7Tn9)^|UYqQXy`z!<&@`izQ$aIOXJ4+7U_D6~^&Wkgpkw;1jqB46YvFK|=Xx zD+}5q2M7)D^!zZ2AF*lZ&jsd1EZ2TZWii^Do0}0uh{7YlQ^H!a^LUnyWs*e_=f;V@ z425X-Eepf=<`)4s*wruB0sG~W_TG6Frg02VYSyV4;ToG8@J>UTJmapKVwCfnDHo81 zht|2zGD`6(j*H)wmr+I~P>|rElRAN+odMt<`q6ce#1WQ|pv#1o;W)|g`NJ&UTj&!E zMfHr4(CkL(eg~R)i}`Wc6g{1yd>eR~rdYH9{gOxp-FeWy+SfQAXj5LJOCN8=cA`FA zxMq>IoJN<2%3=KaqtdCv|6j&IWa8U6;JWU?h{(b96C6hP5BSjq)@Pu%6i0d1=D`?+ z(g9yWx;j4(zO+t(OcPc9#^C-FH8`6qrK5M4_cxe4>$lxEy|fnkR2?y+80e#MZ&}6Tnt-uDKR>PrtN$Yf|0i zdcUhf8?<`LOW#sQS%z0OG8&!y=8ZqSjN>b##PpwdU#ryg%)9U-Kf#(^K3r=;XJXEV zDNTgmX*@SC`}7lZ-dt61Cz>MxDW^O7YwC_#j^AmIwC1!&PJ86EN1}1XL+jfIrZnIp z*0CY3Fa$;6PW*!}WYhg{!?`h*l}yUpE_=J7yqDS(J3686g3xr-)-XlWzov0y5^Pym z$UosDr4@izu}UJ2v-`R7Mh7Pt!Tt*NalR5&l&BLxE4g4P+c^ioO{uTgQmIcs54zm% zT#STl(fKM8qFYMjj*~j{@dU;xBD@A4Tm&HHc0FkW7j<(#1T!0X0iwCC54m(vQp*%< z*evX{7G9F21Y*K!f3BY_{Efm4SlGQtI}bu*|H1X#zwVhsN6(&vmabpsUW2>v8C+xW z7XE_kU6=dl;L(?-pcTB09m-67-i%@+OiO}TIia)%3}K$kcxBE~obmpfGBT?qv}U2; z8@viL)>^%}x9W>&n>lfat65jcb<2Qme*x+4Y8rnrQg!`{zIemGuu^#OFFpBbA4M6L z!AoJnF+M`RiqSzBujZJ&SQ&x5M-Z z^}tc&r3FN_Cu(kzJ4`Wgk_$0#_}k%chrhM9p*g=}hSs0SrSgh0F0l=suNX zL!LG?2<9Sz^F3!lSZiDELTd~5<%AE@1O=_W!P6%HiSBv^wBaLk{{gzzG*!nfXn|<+ zQ4X7gy2jDaxoTAbM~xcv6a~vu>RphE;we$-Id{`4Vk7#d{36;83F~u^`KR`PT6EUk z1TAD~c9yUxrSVa9(fktREkKTBh+2_ml}YzgUZ9|O(K4HnmV%{iPErO#)E~6f5bdVd z&H=hG&`_+g@#jVpq!Dte(|t93So3Fo$zOO`q6}52YQcjAd=#eYkE^MqQW~%Y@V(#v zc)+)!n>i7aBnNT0TIkn)m|NGp(ZbIdaz7(+3a^q(XA>c<}k==*s)`0l?){Q6an5Mw zeKVCy#%HD9+o$6lulJ{L8q)hNon871mLD6Sp=fe^^zrFw>4y?hJ>Wcuh9}YIl{*J> z_jYnP_rGKq^c-^k519cAZ=U9(yeF!Q2^U4Js1PHsDRPwmOqxNg6~r0iLN?PT^vRaN z$9f0NE`APSkb6EVY9V|okz5db6tk{2&v%Jw=_2t0t1K0F8B4wNGG6h#cGp<2Gx2Bf zMMSDCKDvqrA(LW8G@GDFhSNQC;;xL1%zomN&&?{*Mx;+_Qot%t;}^;!_#((gSAS2@ z5qK6a7ON=8ZpV~OG?=d76w>kBzxKm%8e9xnGP?x2Hp3u>F@SqWn~CW9ju!K86*8&C zTs7GCDu^l=w(GE72Ry$G69WpvvN{u)X5i%I>6wOa95csw<$;MUbU>U{7`614;}>a^MnCT#aM~Lh}K<+VFs-HM)Z>pBZAp zK0S%(%O}{(zb*ZlG4}?23$GD6lFmS}Zd-J{QZep)i@Y>rrWdi-A zji#IcrQf53lz@XK6uq+o=rY37CFh6wNA9?)HsX^y%_rHCO&C@z@?5v(wFjy#bXCv`l4>+NuVq@Hrr|{kuC9IG=J2{0BV5~DrkxgM*ku%8v zkN)f>WCRV=Eb=VVJXalCMAgLUEHn>+gng zAXG>D_L3;9z1^v<5e7jNBGmA3lnpVv%IkGeG@n@>p4ZD@P&JoyVs~H++Yy|jElD+Z zH1=1ncPNU9^Q3zi1+%Ft*@QaH2gqiXarJAKAf}5cSIh;wnRqQ8ja@2qNcy-Wsg=*$ z5D%p@Fh0XZ_fR}(D$ua?9uKt&X-_B+w8R8dEn(FOn28&)4etx(zY$ii`OY!;yVK$P z$#wr96+ZZff+Qk(aXF-BH_J9Ef`79H+M(FIh(q1_i$7# zv^o(Uhe|5(u~03ktZU;mu9iu!P(0=+SGCYp&1R%n%}672Ft4ZE2&{86^<L!h2(%`P2w@sBkR3$e&R*l(OKy%FJ}zV;%dYAI6)m}La~htT zPv^g8vbxBceFj3Wd&2Ato6;9;sA9id9YDiz`Lw7#U^otQCP&H?jQ`ynkk|ii4p4qK z2Sz>Se?4Z{ctv*dPiCa%V@_nqHg~)D_wU5V?uvLo+ayuCbp%qEfi2TrHp==R@^5Or ztfhx23554SK9nIdJf+*My8>&d1X}@P_&P2L!`XvD9LP4x=!mwC-R9$&J(s}b+BOe; z-!>0L*5oA~^Q$VZvsPzo9F_g}ORO{?L6fUaS4Kb9+Y%yd-Kwj2xy7sIsqWW`1WDN- z>8JFf7lkL9Ho>dJ5*iV+o+2wJF3IzBnxuXfn0$wAJ_l6PfgtDh& zKIb;W5Xv;2$HD43rE}%`YA(;dxo5mM?yu~0-a|3LH%205QJ;#g3Kp$tHPCzZqxlUq<85aMiI(YT**U` zbq7Sn=Ek~381{hOvTTXVIru4^+>9n#9W>vWFnHcPewH7EvCf{Q!ezq-y3J3PTtj`m5ky_QYEU9=w)6}HLN z$8BlLAyg}{3~IN4Plja?u}8`nTRdGQ`yR8~J6Cxc(kbDlQRUWBw2}H9&y=t00*!0l zQjpQ)U>D3a`ACKA1q@;dW@WnKo;hI7-5Sb{3}%{w-CT%F8ZwH}XY;~kipHm76k!?p z#%DB~rM8s_qVN~Vj8kWOCCrEa2&MW}aIzfS%I7vwC8LG`T8zu03TPzPGEIY zG-CY6aV>(|aPC}(-r)As^^FP9OE(K;lq-9H)kRSs@wE?=JiUR3tt(*m#H)6R*-Q1! z)?tS>*~5}Vl9+3=g;SMtM#Fh6XXioI@@h!YEAASvQkd078fs1RWxiw8@;uR$mXyRp zCK^O^#^XuEPkMX)51DVFKBuPNWI6u#gSkU1J_hJF27akB$z_1ep-I3sb6F z^aYxfO~I1>d?F98CWl{CI?mHfhI4}T^mfMBGsMw=9rW@7QIVT_WLQt+oJK8We<~@E z!ZD!-Y?z&#Vp8~Q@h09r0a}_yXy6t!!?BL?D1aMleYm|Zr(l&nj0rI8aO?hap1(S4|1_uI1T+&)4)Li0-VSU%hC1Tgit%wg!#o0!VQr{1hd6wI2^ z`t1R|GY()0HE-bEEcXt{$K>AhY%x@j4^m#IF?ZejAp!cJZQq#UR6KpSoz^<&98Z|1 zPUO4pqgC4-(JH8ZnzYY2z2@qSs`_spOhwRps^)99YXWx=QdFSl2Wc7-NbTP#uA1^6 z_n6_yi!RSSmY;rgZNq_(V-Q#_{E5sRC4XsFL4#>f6BS)rjbm(mRr zW|1+*zi(9wf(40>hTVt~ZT=vvI7BGXfnBh>eOX6^+OtEP2l*(o#=8}>=F4S%-ksxq z4(bI&5+*_kd+?G5z#L5SG`CWKZ%VK={Eq3c#`SF4c%NbPC^7{OXoC6i)CKd?I{8&~ z#l$A?KMMK^|L3sal!~u1y^E?05PHoPW6}ah^@zr7gC1l*Nzvy`#3rk-L}&52{7GUB zRs`hqy<-_%+#jw@NL zcw!^`80kR)|MHlJDdX#35e0Ir|VVP!K)c2zjgwsw9&|xvzhxNx!RcM&+fT zY4bPVJTYgwM9XeGqozV{@dy4sT4l~ljp+Yh{hVR@U&q|U?7mu5&BL7q78uj`?finY zkGhsHg$%z0Oq#riCf%oJcT`|lDv;3Ak-I3Mb~-F99dQax4OMPGXj!hq7U^uI7g{@e zqjz1-*r8li!IwB;G{=8zj$`*t1-CQ5Aqn;7r#J4@QgwbMH~N%yTF@SVk($!tZ{m_T zx`S%{u(eJZ(IxuaxO8d=(M!2v8hDno5~ApLEw;}+zVq#3S7tAr@Fg{Jh!VMxe7IU* zh{!)a!dO?;mU{OFle8$$mDFVgzTMj~F(#P|9tudYjT6JcC-zP`6+x6?&@?&9n@ytS zo|9B1%AP|Owj4|?ZNrO1?c>L7xhdewPzOtc@J$!3vy6%gT8S}L*UqVRruY#E2jsLD zqe0f9)?50GDl_sLA#>`>od&MV%fsPlo{`<{A5M`k(u1o?ovYT<{0%^t0otrHRpWf@ z)aCsovO~T{Bm@40NNBT3aHZhd^@srCly7lC!cOq!_fHn*Wbv`QHO7gc<>bM5^eGxrOj(q2^sofk zHGGP4Uy%664Qw2|4r{*?;>0(Z>R$a1hlAbCSl^cEkD^jBkJc}-$%Cc>d+0`-BnvPi zMe+>UZb;IiGCiV|qxf+nDsfS@eB3O-aH@Bo z?Vc`me~}`8Vnm5Ohs&8(n&H=$nToXexE}?j-8d~+|4+s9^7UvVkDC9yTnR0+LLvO> za$dR2NtyDZcuPE4Vn(xxOZT!kf6&5vCA6y2iSz(vinNicgh$XFfUn$V0Q8Q-o+ho= zMGbPdaoSe?p#p@i*fZOUaP9zVu6{qBL);|5#_TMm`I5vCi+o7BPZ}^2<}^KNGuXw+ z&}SpF7TiS(bLbQ9vaMG0z&qTn1pdG!I;#RL%y36mrf$9G@97mNVrMKl7A2HtGcGn zO|uP1cr?8=D5;pF(+hIf_soAUD)gOJo@|TYP_6suH8H3%njjvgQ(kIJm%md%{9KbTQo+*hmH04Sa1=8*HT%)4I{(WvEEq=$h*oU z1r{l)zekW~+z(jC1bHj8drzIxi@3`NNn`4;tJI3ERevgQb`POyM;GF5M>~t$gNTi{ zY!RMZW=ijajv)OWbO%c`9H#Az#W52K0Nr3Y?+yOi`8&Q#v+)@31|q1d83NyJ+06EZ z46n&ly1{{){So_u!FBEnf<%n?6NiE;U^?0#-PUeA7El;2lX06ny4Qp|sY}V?G<#@lT0P^A{tKjh|iN{5{5tP0=O8k6+mG&Of&Y7}%MwjkkYd$Y62hrW)EI&GA zmCmY=+pp~IZ0Gg9EP?t!8AB%^1sHj@9wV4SNRdPoO|526#)*~QglKDlU=I~-;CpBo z%~M&fI(;-sJ6l07NWQ6x8cnr&o`k01C;`3U&0ZwTJFUI)`OulEFx<;4Uj*=gt-pMp zJ%V)5!{jA@5#>DzirMfAJHdV}eE?6@CWs}Ft!0-h?%3z;fJ)msGuQ7a3w^`eIx|cw zmmhSj+sUN$v~ETvbAG7>9WnpJEVNO~ z{5IER^{$c{)(FwK`p`XnM0m{d@BkM*2oy9Pm+lfB$(x}cZn{Jr{zz0zyNNaB&vP4j z)m)`S$Rosd5L}a^3qlgDzlXmmq9fm0P2VL7SDh#jeCRK&83Y#~?ben&m6eIuf_DPY>6iyp=0%VLZ=tBLO{c{^*|AFQeB4 zdF3AU36Y-tp5%8|`c_DM@TU;s^snP`g9K4~P{4Q~C=yuicVq2%G*u0Vf_`=3`gB<` z-3e-&a_zUk)b{xdSh^aZ*>H=-m)TBwI7&_9y=1(H`^|-@l8f~k=DID}9<;%inv${+ z#Mn%-)McQ^^talcAqQ}ZdVCFNR+q-?;Zo% zfu8g)j`X&NDI_DIqgV0i@scTqb}t&8@KVKg(~xAhmL-R1j<@-SH(jh!6|2X0Khe&i zJzcjQXee3hUu6+I;)bXj`n|b%2&>_&eOB0oq`xcbMH?B3u~buIBQm@y2b)b^R*TZ5 zoz_rPkd}xJJwzr-^OpNzV@vE}4@fXT{}|DjZ-Bo+_iH6ICO<&g zyNYFHhRBxf{flNi4H7)5XIiuKvAt0@R#jZM2c)cDg6N-x5L{EsZ4LWfU&7z7vGsp* zEd+@j9PvW^2G*bc@)&%u7Tw6vm{@20V~oz63*=^KgQfW|N(}c^LWwlEC=)~AMok|m zyE3kiM6$~~DlX3m1pJm~C2!tWLC=}8S7`nZn%;FOkIe-Z`N@__T1Q1CNk(Eq=I>?w zvR8QMl|{2mDsQ$*C~5`A@q1_>9Qi#o#Qh!`V$fL8wn&yExRx*eCtiKl%KRGOmK z-8(dfH>yRVT@v;0#}rUCBdF^mD%UMr(nl7bQq-Bn%A?TsnW=8r2gqY{weTkeF#t_V z;WR*-N)$1;Wx%MjH)^0XiY{_Ksn;JFdB)74O);!X|6a`>c2O?BuQ1cP$QFI1^l=Xp zhZEo!`aOQJ$2W3@Kn)YB=ZOz%$6`5v9scDM4112)vXzw|`EQP5M5h7g`Wudq)sr%7 zGcblycLnvWUO(Ty5U@9CE}tUmRs`rGX9%kLTj!azsp^5JrAlB;eOYK3{DEYy@eg$8 zQdn?3{oHSE;!3ROjL3&!;mColCD&zxo%`6Y1p&0HdQf76ww)k+uNit%f5Y255HDh@ zs_C{0ioi6r3#DhEIT^@p^-{|l7HUs_L!E)!$^`VT788BwAX^&xK)-`4ee$22PWNBn z^BqLV0O`52%~ZWb>H4=+9>ozaOYc?>s||d*m`@VPg-mwytbBmHmv~?5cTLazs|vas zdL830YPm%tt zf5D8XDXky)#(0g-?>1V)o;|0m^1d>x|J<4r#7p3oo(5hvh0DD+C;0Xk^N01nrTyz! z7bKuE(S67ErJL}T)XPv!H%e5GkqwUzB30&fC~ZXI$B@9dfpkOro1nC1yiwa4^F#JRAa<82^KwRJFBSw z7qP}VGg8%ml6o6v(w7kInPss9k`MkU<-{siF#-O9tm=&)kzjBQDopQm_H)>Dhxp{-@B)BX%gWV(+}g%Xc3VI8Z=LVY7mh^?+V@H4( z_!|qHA4*oG^Meh~#P~>7tSfQUDb!AJ42sn%=ZzG|SIzbP*QU*BTjY|JM_)uBYHKv=!gqD^ZsERnUAa8G&#YvaWsdgHA-@NCw@b|Z zxlBo-7+yHV{xOn9we6`il`G2ajAMO>etsyxmnGWnjF3W7HlBu-LlTszLwwp`yu-y! z9Me8C=pcITR#Y4jCHIk@#!fk+?4+?EZ+HkU;nYE3+1N;9WjJYC?R1B}VbP!@|AAD6 zC_Qz46IOi2NIaD_Ca8ptG*yKZs2QeR3b=!@*9=c6>UYz4gJMZqPL0SpXOwdP-r}8M zv@GwW!9KK2EUg!-(Yxg-{gVIIq077Q61}LuVLw}3*F9Mp=MrwC|74Fy5f=&O*t*|9 z-FXCujH!pMQ;ehj;g+mwbHZ+xTDAf}vtjg>g@bR7$*U?}THs21zGB)Ox+9v9rtkAH z#e&g^^q1;JAxdK`5V4%Bj8Q<^`>3)%5!9X{TsXvq6@4g=xg66)4BA-dKzF;1qMItkfH1diQwbOa^$U$N-O$SEVNR@SGu!}8 zr{4%|Yml_D-9~g*8kXwIf5VOCK0@|hq2{Ky zb#*I!4(>>r#d8dMz5fk2juOA*Rg}DYK>NCk`07aF1i<%u_o43Cr*c!S=>V?ccaHfbDR$ zAxiD3Cegc>5$MAb9A=a4S+V1rV0*XJL0n|3BR?06uO6K z6wb*{)=81~Ddd6cIxwUD3hlIoL&1%k&eAE4t{pnP=B^99cHM zEce1M%RO-Rf>ol4YGj(7zB@&{POW0DZ9cPme0%PxoZY*YsVKXETD<+3Qtz-!v+p6N zt=n2++Oj+JnI?R_ea(FV=v+~_ptqM#+cD0oF1z&PFekpQVHK&^09V;$_16Yrn#z1&O6|Xu|6y0B2i6BXo5IXB*BMnzle$D~OVtI%<0}S6vhu6`Hwd zbtp7v^uIhB$W6*r3?)^cW+o#v$4v&5^ft8XCibhT{q?8Jl%7rA%&w^h{Hy4S1BdJR zU>&y#tU`j-A5k$Qf}7nbqPMJ|;zLMmF$mWCmmoMGxy|`s%5!Mg&i+*(sB}Xr_C!r1 z^signEtj*T8Ek=KzWOSs2)<thiORbi2$Ux8_Hp(GzL`(OsmYjJUc? z+Q8!g&r?Rix*l_YCDdV9-Iq`)*;pC3aO`&7$o_A@8E%C`>%>m`M2)M@*&NDLPd5o} zgOoH~(Rv@YE^kEL<4lgMqPjo)0)~`RGYOHwgmLUY#AttBbcAZN0O)}`x1=b6d-Q6+ z7n*3&&!O493r;>5C$=H&vTB9ib!^}p-MUfFE|L!*2F#JL%&$u;pXbYB8;8Meuon?n z6b6fTErvJpkuWjyF^t9yu!F@)4*usQ&PioptYm?3cZ?9m5Wt zJv2*m9)k@y$5T=&ROXRm>wz}Gtx2kE_k|HI5HrJ`zGe-UmuZ@>2?#PDge@WhUc}_YO9p-(6 zk`@~L@)t%P->EE;3&S#xHXAA-xFm3$-X^qZ022*)dmLuJsH-ojhTL0yUc=!5>p=}Q zZ08k{=3k^&ThY!u8N`X>5rHwHr&?fp)2S*m7(04+d{BmY-*L#{XDw^@yo?Nxrk|>y zRzrX0TgvQ+={|Cls}un*^DZ@?u3IT5l$dDBhscg+(e2vf&}X5 z(>tq2R?+dBSH}M?RYh-;&KJL938o^b*cLa+`5Z4!yXB8>GETDG-z}M8yw!e{`X?(U zRd{%Np)@hof{<4ck^)=4VS7;@iRb-}h+u*5tXnAyJoIEL5fA84iN3+VT_k}^CC*;BJ($6u=JF4y38j;A4m(&V`2c(`dwm7uG44X z0h#rDVx|7{D#F&y{Nvoe;}wQ49cy@Xyy({d#dWd!+xkipG%8aj5LC^juu+a^*U5r0 zUn^XQR?~w|@zg?_jWFANpTF?LwP#caMDM$i5=<>M85-}c#F+|E0KvRrEl4nG7_%CT zciuDE=!@fz!MeB*FAYBjq_ZaXQVI4l?rm`4wDQw z@?DK5y`{WLu5%8N5K2W7;~ncCAI@1n7I9MMm}wPr68E!FZq%?ODRhultn=344ZN-+ z{*Fc?5PemlQKiW3b=`}t3cxwI19;b2q$~fmMs!BuwLY2J4d1gZv?`&{K2lL_TT-_9 zx=^w?Dm=hgHK4+I;P-0uKXgqMz^*o96UYQXvG(NZ$F@19qv*62w5jM=m2q*b*F4e4 zzI54vpk*cNNH%6OtdrIkAZs^|yyRB=KhEey^BeZ_UuQI+@r*$u1fEnU1#C6kYesM% z4!o+X)uJS6bmxn_+lKWjoC6a!j9<|zu(H(W<>f01q$b+TzTF@bC5<|eUGPifmr$_h zpY5tdYC(b*<{T`zbU%n)$bSS49O*-4oCP;UEq(-OI!GhI0_s=fKo6|S{{jp2S!k{6 zQ}~T)&mNnb&Qs==a_S7_gSTD<2%_VQHj){+_&iq8MS`($eI}BMqapwU71VhgusL#J zBv&lmrqqI%zq2;?Bdj1UpZq9QdyFS&AFZR*q;74gqEFzrp$#JYS$g^=qaUk%7HD63nny zY=;QD3?X?SCNP%A>V*y0NIY8IyveN)^i0PO3FzqqMsEO?TlE^9j=$*?5133f$DJ4O z`+H$UD9c8oReftx)Mo%G3natQmYk#ah|A-L+?UHX3Dq!NOMQ<@=4?8Qm!D0yhcT}iS3YRgDnrihc|dTCfA;q^`5x#SK< zH`uGKQ9BZgI7Zd&p>|i8NUQKr=JAOM8i_yDJOnSUpsjL;6pX zo$u?^QNp1?UBsa9#sRk-CQ6kf)H94D@I@=w>_KjJJ5q!30fTN_H4WutgOAu9LKgBW!cw-$K zMaC9~JT_~0$ts$N{pzy5W~lX#!0K{o=B#gHq+);1`MbERz=~*|6XJf+{Ow}72{R34 zCmUZc`YCMn3%E|`n7!SX5xs)rRMVfvN6Cqnt@p1y*RGwVJXj5|lC7#i{Di^9d&dgu zb$1?{&og5jU6v_b_FLJ`8l+G10Q55@5mY8ax~^yw37%#o3hQP}{@BIV=zrnClq z31ldi=##3#vf9hse-Fnd+gx?;&|(}NKe`LoI}V>br<}`8pN_;*twht%PbL8fXw=6B zT%Ma5QsAOE^^L7 z_!U%aL-n!3&Z~PpX6EdoQPfNsAAv2qC4VWf4|@89KS8lc{-`=bl;P~t z*C*rHxLJB29|q|%pt|APc%@%|t^NN8*EZKlmdG$+AmUfNy^W8f;nWrGhe|YXMJM7 z5@3u1W?X(K=`oF{$`NFs_CA{$pm#wGsvF*?0is{-pnZ{_TT(p@{-v~|p^N1~M8X3? zIMx~Ud|{I9uhtrBF_b$QO(~|`exxzem60?WdUx1juh4JwZ@q3Q&HOu;5336B?$U@`y=fTeDn_+aId^rvTkEyV5 zgYGP1K%tUHvR}fG_IQH$MVUUG2m9C}J}-wFOl9$XTF$hEf{X7s$xi9|wddN1)L*tD zyr@s2LBS^aiK-?-377S|B2K4kReL~9R~% zpI!2UY2_lWO7mOJUD(DZtRfPs=V3nyJ){ozaEe}*vzuPX@8^N?*B^KX;&R(;b?c7( z94G&m*1p@3yM#PgTVnn;AiU_@)2$@l9hJ?NTWFvD4HN>jA{%vL5rudmws3ur=XX*u$xxR-WE(e@jsrr}om4w%tU>&4HJnTO*2A)sv zh3_%75dY#(H)%6xd1X&>D!|LACVyj}^dbN13k45J=F=W;qKR~+HXwN*! zSX=H_FdQD7K$xv?6JUof8@`tI-~}pNsFC@%>?+R0YOI(agBe$Up&hRA2C71H*c?mG zj%8XLNTXa0;yods@wkb-`^oS2E-q95ic{08pq(Quu4oN&_;BvkjL24m=f0Z=nqBC^ z(@++8v+eKLXTC8ju_e3YMu0s`NNG=kieO{Ms|(z0@O`L3bTl7ZdpnkVASZrg2)yO@ zWbOepon(^W9|b_})&3n7#W7T~TD001pWpten;v+?-=Ql%l0c*bxXw?L&M?D>wS@26 z?QcyULI`MWFtodU#U{;ZO_5#JX94mL=dGo< z)2_>*0mpYhvGN*e`k_Zk;WKAq^L5J_&kNhFE;&%}v>~ef+Tl#C!pzMwZWr)Qo3!fA4F7Gv_mRD*gr$A z926jYr?!uvt#vUnGF1pAu|k4)|9JL{3VS65RzoK_l27k?B1hqpc z1SDiQ{e-(hz7k)(Ce?(6#=JUKLuBI-InRP8A0~V!-W2S1@6P=tH&g03Gv_y-0Eo*qKV60KybS zGf+reE7*iHIeguvk(}Vp3dw=RVwT8mxv1r)_`vQ)vJ;*edm`MTc1Dk^TZnV0*B`MJ zznfT5j|Wd6b5~XEHfDRcs~4s2g&02+8(WQ3NJ2@IR08j5dahH9UY^1! zAt6PP$hVe=lbU2Y3nLC?-Q-Y2;GN{O%TMz8`d@W+Nri|vo!y;j6b{T8trytPO-A2U9tA=^u{f( z6)}x3KZ*fX5x37co@o#7X@Npg9gaH!5W~`kk7f^x6_}iMKd<-jaQ<1&mCgG;r`fH1 zx<@jDlND-*h)Ea#g5C)mh|Yp|7{X{XR??~O#vacyyqIsUvZ4-Q;lB=t7LvV&@0fsS zsGA5JSVj%I1k=X=E}Hxtpe>*89%6j$cdUI17 zzbW%P`}`m**pwVwE0b)ZBZv}CI=kl{PhnKscEuQ56uH*N28ta5Jdz-V}0%1?)=QSK2=n$;5%RFBKrc)TU9u88d{P$ zfHaNt|EiBM|ElUE(^J?_BxQ>t@{~=BDGhM%eVv@DA!m+0`Y3BGEM%v*I5WhDBJ<|j zYj;A)|CU@X`-GhL$?$jr!u6A8KuWhi068{1ZIhty2dyDK#5x+(m(e~pfEy1M*yNfJgqskES8It3xe8#3RTS_W?bSnz z9t~;1Lm@*%N2?j<$OgosMqWU0h9)LJ_9yMtYWjfEfkAPmVJ?IDff)35?v(ud4iQ|Q zbM*nN!fBVMKi}eK=O+_xcN!M$(e#}U`jam;aGhbt0UW4&0>iWCO}tVbDh^4{+{iRI zTA0cAk32X9{WD!vbd7Lymh?RmZuX8ASS>fMjl~qiY{GGwc=MUSqcc?Gx^nX?QXEi0 z#udqmGWYxs)QM|vHgIDPYYEBH%znf3&`Ag#=Z;n8im0G+*}HXBi=Ru<+^N=11RW!o zmZD?L20*a@;@#5ZlY=-b^u`caHWuQ30G&;d&awtXsDnyp2(4F|g*!Qqh^d z;fOuPB$j!$K=6%i{xEk}G27Qa`XV5OdZ@V*iUdGwpj-%7EFN0}Jtd3FwzWSex7z-x+lFGAo*=+61u$DZHMU30mtk)a>SO1kzz%=s&#<;Cvs3}w5#w@n!giW z4az&q@O@Y=Sk8-ezng`zKw#-s(X9t`KDg9C;@wRjm`9n^W7@HIU5aF21B+=o)~f^9 z4(cm9)tAo)O*AkVZLcCu+d(lqTlT@X?v6UsRVA7NqF|*$K9MkVorWxEdotQ&Hw$9)K%95Y7j{7LgA+u-!`eftG%%b5ER#+sBot(v!cAexc5 zgGXWb(y2`U6Z=&77(?}CoM!9XsyC76X0F}|VUqk!TjlJHp1SP8WnPu6Uvb8pMgU?B zVO~$9h(w8etUyNfWuF`nU$j{Z#9lp3k-Y3(*0{1ywfCg9uyHspQbGTRr|ddI3sfmF z_zdlKK?_W*(JUzgE$ zV;ARa4T~dohUwr;oCG~LeI5u3w-i_cq?OZ{d^LQalA zk{8n0DF>keWrHxh;qHSYOv!JO-O?uh#*`g*q8r=o!CsR3jknl9v81FV#A)HtA|ww2-azd_L!13W z>VR?xDz_D$uI_Yl8!)5K{}f%wIayw6{gz-|;DB+>5xoO+Lwnlm(=ASlzn9@u_Vy9f z19115JE>4xi#s!Jkayg>;Mvbq{i7$f7wFymUfsJf%_sd6o=>)YtOOTQ$8aZozBNoG z!3c^@?vFiy`esdQunO^VsCOV6jPsaMfv}*d7i!`&yb9YFbtkXv&lxGVQ6%hH6kSml zK%G0ADIb9}Wq!p!k`}7L3N%SvQlm{O4~;f4tLs-;_{QJl$)iu)CeJBOR1rbKPJuZ7 zPr`JeX*_|kzL23xd{WmZ%7z@u}Y z`*ITwIsv=M`A1TjW6$lw-5|2MLkcE;Czn*g=GB07z;=7+_P{e%eQS$Zy!mt|m-9wL z?2O`tl(d-6E82Eq+hbYxXh|z2ORoxf0{4b!@UaaS-LZ^0B1`I-PwPj=D=w}!jDs4M z;Z|%*fIXSj$|2(^9C@->1S!mUH95h)cjdn87zc*hSnoakLG(FiTd+s->(%x$vV3Rvx z_dom!>r%V0v%f`13|wR1Gwk^VZ!yPgPfpCa8G9T~6P=)8`xlayc#U#MPeoM#g8=M( z3TQReReWa~a*9If*Hd{McL^AA7(T)vq=w?8#Cs?C2p}A@kM{FnPFzHPS0ECZL-dYH z&&LABRM?iZcE8%i1CC3doyoH?6yAM0N!z}-fo*pCX9`zViC!L&zG61&_ivw7BqqrW zB0dd9m9PVdvkR;xl=uxMj4?**9|=32kjtoV@v;LurO&u$k6P5fmN8jP-v3SIG*sQ! z!MHQ}EY_lIWjrw zVs{}s8%x~AVPoRn)_xUY^QPFFPlcOXsnRix)WV=1cpY8zZaY99`#TTV9F$$EVFRi3 zh$WVC!W8z!1zLAe4&t}WgR4xDawibO20y)aL%CD@0m^j1UR2puSM@;dTH6rmT&JRW zDbdsND+a_S`K^OUP2qDiE6(VX!InHXI_z|PRXRj^cLzr6{Hv*Sma<9X^y9Cz-ko&S zXbfRPBs7D9CRA?JG};i#@oZy1tDFt(y1lz?4-Uxwsot3ehUnWWL{zkogC^vK@oqN? zY2Xn?Lu|PYKefHooFbd*lO)*ISC`*e{EuL}MfHb^O1-E-8Oi>~d-V}!Ni0nB6%0GH z4WF0tqV-=R?6npT_sO|_6X?nLo)!;QhU3#~MY~69;}ETNouuaFJX)&8k9i~qQE7H% z(n|};&ebNoch^aHZ2n?K=}?jQw`GyIPp;qKd={v4hkKGFTg$~P79H!2v5Q4$FbB45 zbV~DB+1*gJr&Z%PYppA;BvqwWfMx3LI*1Q#pR=|mai6nhzj5lWhV2V!AIrZLn;yw% z=J!v(34t?0j9}L+#9yFLhhfO4g)0Aw#T< zzr%z;YN0rD%lERer49azY;qMQ0;5#+qNT;fF!OrXgrAND9Mc&-$K)Y>BH*ah7u17W zWHE+TSNisS-kKc>QXJF1$kz@6{3d??S3}{ZE95)@F@pQ!i#@HiyqMMw9E9^)u zS`0@gIXG}HWZ~Wmcerwd8)w=vI1p;~mr&%?-zKwcmEFz-%94DS{de`V^Pknv3j+P{ zf31E7FW+YxbB7*Me!|tsXEj#*xsPsuK%-6k*tZj`xf#v}jvopj?0vJO$|r_%27*ta zcA-iy?0(afs#k+HzF!SHX`iV9iDu$CJ8ugR>&F+A5vJcP{`B2e;Ad3SVNT|2tgZ(;b5WL7dj{oWhVOq?~&!3_<;#z_N@AT1pAKs?u1b- zJvo#-Lb+j-sds(*6U?vp?*v2QP2ig%dq}JWbvFK_jW(_)uiQofB1o;JQ#`zFV9Jd5 zoly}}9peiH*GXhs{x}%JFxp(VO}w5y2r7Z!R&mz>VEL6C2(5S%Ehd=0AKN7}qBX ztcvjw7_1cJb87;*Lc%gxB}PR6s!Sk>!OPPN@D|pRZ!1*5py-$G3>_A5+=3wM>XBbuIG~ zEwhG?VU9i5Ug@v(2rBbdfp+yw@yNdQ{)3L>%WZ_{`s+@{P(m`eEfEVm6?$Ug7aheX z|FJ?~G``BXFIWtWd>ALv%kfxjetlR{sbps8x$$Agx&cKouPZYMOCsX!g>$J^#P#co z<5OM2eu)V)0NIYZ-|ZKgbY;p^z8qnygo%6(@|^p!eP;%^;x|Mq)zDB$Zcl&dY9<(& zqB|kS7_#yfI!ZjEc_WL~^gWlJkRJ@*O10>4#bw_xsn{nGk;B2Y;m(nB2AUesqGN+} zRd5l;U^z#h^o97in%}gq?q_*l#C2{3K7_0pzL0-=Utd9-?pSK#W327k{q|D zKMV7*0NCxK0;Z)+Fd^O&qu=J#E6+^uTKcKkfT|$zga8GXAW?)uvg;%ZjpE;{tn0NT z)(WEC#}U2r>2bC=`HER$&!jrpP$VIb1r2AR{X7eV7OVw9KnOf-fiV?zc%kMKyJY;W z9=1@N{^INM;sf~psV66WpZ>bP&iphbpIr6H_$)T~j*a$SPQvG`Ho50q`cBaFJjkYY z!E1aFfsxgZ+i1%Fe66bFa&Tn{#AKneh1x6znJO}s7j)>eQYp%PvyOK=z3M3?hNQ~pE0)yl!GsWqtB4rcqdmjcN$M!{kh?MojVQn=l7NtM1+TWbI2 zH(bpXDK~ATVq4UM?(dts#3f^m3fxvN`+G@?;_+C|O}p?(gh+&H+uN3&KZ1Wkw}z@%fJuU07#6 zj~Db)5coa2MvAyt-FXf!vWE;)fn;M`hIp8cn!!2&A+l;66|qY#`ZhJpl=vz6tc8>R zy6`IhSF70A`|pKU>mMq`%p}L%g&W;;s@4n{G1g)f2d-ScL>V!CjZ!qC!g}3mj4{vk zlYq27Q%ehtTZ-j4t+2nDo`j=Zdd>n*BI?`dH0g_Fd=@HiN%Ck6*F?Va3FjiR234~o zs*-cLYWDTv;i;aQd-T7pYN*591h)0`+4`JXYJd^n%bY3t%i2G?u*;1{2@5*100i`j zZ8a;E#W*CIYH0^B_9}MW?7$*5vuI5BnK0QJ8bf9{RwvyQ=CC_i6(NC}Guj6G`*89&!V942h`JyQ ze=py&@mN3-M(lpvO9Oj7SJ|15Lt9Fr87So#hi`ZU%dD2PF>Sdg#g zHVduE(-_TiJ63dF%RiPPi~N#N^<`t^7XiP%MipqF*$#vwYANF$7*aDGvd&>>k~J#g zSAFi5pUOJVp3E9?J%6KX(w$oBjxGOSR_skt90NgFPE)n;z40Cmy1a3TMs~YXVsaub z*>fCA6l7@_VMJk9g<>(3g`DpA@TaIKAiUDDc~ztX%8dd>C~uJny+tS4n}M1A7CkrH@TDB$X!%8V!H9bIy2W;BC? zFh@=dpDg+c(BBLJKB#g#!N>SU;(dVt{!u&$Ok&jvJ36&+`V>7$wcj0B@HiI<9dx{p zF<;WphF|odb)%vSE{T^y95B@K-MQ`~FVSH;)tVRsW*+M)ghd z+U`Jd3msKB@yyrYHuRc6Fuw>=T$IUIlpn_fU-)ksCq)DqRl>lKIlAv*Y;x3|*$I8p zs`Vu|@YoGLR}6cGf|TeW@hiO+L`cxi(UzBRy6K#nYJ5&-mHaDLgY%>Xj8SsBa3kh8 zGRe^+??kvm3K|7gS^oKng;q?z6}`~-7AC5@X7NBeH*S%?Ftg*pDjBZ|R$(f9X2*MBEOTeZ?m{UJt*a|ElDDDDOc%`MyRf%B(5HE&_cl z>s8nD7OJ`p1>~Fcm|GpnQ~65?m;D!9r@|vkoV+~^uA?#J)cG#l7*D-sQVVSvdwEei z(B)4rv$cNU&pQOSIQJ(!?N6RZj^gjkFk)e0OGjhVdLtNVJvwt6ie%#Xv!eZtbkwoS zumLNjGN{Qqcv2!UUImudEX5CkXc8lHamGlr*Z{}w%xMOy!dcwCWrtlZ8^!mNev?Ym z^A>C8gk}xF)^m-9)5Qz1siVRuSW8mZWpOrA(?3h1SGjBsvd*#XVS~*Jf;Oc=8}1$8 ztTAxs_^#GD%na8k_TFb;Yd-wkorZ zFfN+$R9WC?+;F`HN{TCX$z+XzxJx+*I7@bF`_x0&WRKpHmY-=G3i;UGY>$5;E#9$l z6Br$rz5Ld~46Aen8fnu?j998K=~wdRsNa^-w~Br#>vdSKO0S$@wGP%UX%VUuvm_>*=avFQ^fp=r`q z;4+hSnP%mLKuT>5p8V*tjWOMEGq`G^lZ$zM6!Zvwa^18vmj~+PxeFxed!>cI%Y)lnfw;$v0s@KKhQKlEWyCJpd z;{SF(Ip7S3I#vxy24O3$+11Pk%RF}&6#mf`rP43$eP`;T1RpyUHWSLI-7v)`i`25_ zFfVCYZE*@<7+AJ=X!_$euQ?`66{=O6rF=}HR4P^W6bO!X8x;H9y=4VU+filj8N{^; zE!V$T8kxMq47%rtH9fe~pCc(K+umH;@IzZTNKLh}Yc1&55|`<7&cP)Xk>!W3jr9xk z)N9c^+NcLa=AzoqWm`;EYQyG&#UzN~P%$<lO?>=$ZJ-txzjh@}p~B)SU@ciIZ!z3lpAlRnF<8*6eHk@~?esf7Gu#_)`Ky-)dm~<-Mmt!s=!mh^WtuIwp=&8(R zXia~&ha|I_@k+I2g+0Q5*(+UdDe|nZ#7wd z-Q=dk0PtoSV%Q=iMQ*OA0;zSZ-SvnEVVg23u6pFmyf){>Nlku#)VbcUVTJdF90^+p(PYz}oDqVi9mSnazSuk}JlUqnMKRhE+X*$^ zKO70hH*_8!a7cahe6oAJJ!y0J#O5n(W-$N`=~t#*0K2;uF?{ehstkXo$LmhV4mts@ zF89Z`pHsu@@apOKe_d1!EJJ}iw2P~ z-j`vVX$4kLV0Q802DX+~(~mPX+!_!+SRj6O&!0jE>?k@vc$zI@;f!>+1ym`g7iwd( z9pBNqDk(mL(9O5($vC@9UP1lguT&Z$;cmKUURhFpMzcCuZl(HdrpU%B+0VKA=aT!^ zAUlM9N80n=%IdDZTC>3^{wV8%R6Ra%U5HQoVO&rrhaj2w8n&{Ic7YAB9zgmh)f*{z zdvM@1SIk2If5aS`PbMz;me#Sl_~d&#J%jVzjGXD%Kj`Oyz=02vlp3cQ?LwP88 z>IK_P@q1(ECy-!37PivWl2|d1SKISC7J{A#&H^-`gSD|#PHBLQuh9#wkR4LKC!(Hvu>Gc(~`a-orV=(Nl zOnXjyZ~f^R*c_(*(ONf?KxAnwTfJ;JhdZd62yV@Br2oO zw+?K$pHT1ND1lJ?pymk^b+%zy7&7oqT6xySQ5NBj`+wuHwI%u47@`3I)HbpDL?PdJSg!LCVG^0~`>%FTxguOk{n+{`8L?@JHG!%tte^Qv! zb{Pa+MU$Z80-m!4NToqO|N0Ltv`due|Dc~fRI-UG3G*A_6FW>{RiY;n(X3gF%bKR; z)aln#Vl|FEHblY85ROKH$A+X(MA3@Dh4X&aPWl0U>p0-|-Qf2*BI@PYg^;vM*_24n znf{mdB=3P4Zuu=BLF9Ilcz*Z))+c3}p3>(2Z|aj8s0wa3JQLo!hF82GzZqeLrkf}y z3t0B&hpr0YoF0;nYyz%C=ml-sGGpmC#sI7rKVzQQ|9yRu&R$Ikc?&;#;QyEYq}dKR zuu_DV0=^JX5HA7p_RqD=<)+R0K zdKUbw{~oVR^{TC=Pk_BMh{Y;9`ruxRZR;uf!|SH4j@qy=68=mPg>g)RlgB*vIgN=C;h9J$xg&S z>S!fV!to-^P<4Sr7p6V#X|M{?IyllcS`IWUjsfy0dDaUH!mi_m-Qj7%a(Mb+_b-Kv zF10dCkNoAbcC`E+X#6|T+r%4K02kwg8T}&s$a(*=*%^*# zzG}!mV`g-$`7W-ITNBB3p3nE1QXT1A_5dwKDojWV^38MjvUjWrotN{v$-r0(iEkFi zb#Vd5)wmsDSo;t_)`E)@=!fSta2%PnqK4;ussRhZxn^}}5F;$pY^rQAME+Lr!yND8 zXPxy~dTV%$*ZHMe-FD>FnNgj5|9FR^P1)G~{K#~bmg<&|S_OtyemLv;U{6X0p8A3Z zHM?LMnq6_sx<7zC9ZD)gv#JLZ<@JFzfZU%@6V7qJor=>oCPVV2Z-K^{OZk9&$r>s{ z8S{r(5FJDJV_-!~(P4bHg29Ub&?D%N?o24ms?AoJ?ckZWHui%+`9dPcR!n-E&W7{T z8ys=Lml{D0K!t&{8?NE5cno6iyu7gRvNe@j5^Gvp=oi?e`VS97&>lgApS#PO+kFM{`~OpWD321GfkZbL{g1!fSs0?b zm11WBNj*TK?*UZ?&vlo))40QAbFou~>dubO6!V+vK+*dW(J;e^Ih~Eqk0!Y4TiD4G zmcYM{cOp3VJAt)E6`XmVS3Vi0s;DyQ#Mhs3rmj%A_))qN?8!c}uO(_M_#kcm`X~}I zM8>sFjatEeDzZNqaS8aa&MJ}N;;JG4RGDm+{<0nokX*X!gVvxKgh?JKhmkr%c;JPp zf)N*bn*jBK_kBhQ^y@VEI{wf+buWS=4}Cv)fz&d}&9CH?m?p)C%2rzYyn zb(9@80>qDi?3VL40ni|Y)R*lR*#ZzN1adYV8DrsHPc5BW#&@d}p10;n%rfHnuW`tq zOgj4;it1&wl%x~56kC*GcRTqwxKQom2K0}`;XKBN|4(Ga1-Gs-Cxt+Z;04EcrT7En zDK>}iFAqX1Hszh^y}>xr)jnGc7%RCke%^u(h7M$3HVj;eUpFw6F43x|#>G0LCp8~t zNgHz_TwW^HO&<#QN;YW#N!(x^2$GpTj>^Bt3ip=wsz6SXurM*wBS&c?0I>o(XohdP z!+a!QLs7a8ybe#dy$?3O}iN@ltSdC@TXQAS9QSwL~SwRT|r4Hn`njB&j@r2ml@|hhf zmKJEZOl|ETaMj#h9c42D9NUOsK8diLmx2&;zj6gBo?=`$s3n(}_kw!#OXu*-DinuG zxpKdhNStjmvBl}vE^9YEPi zesd)AbWo;i>lm;bwi9&&up92TD&|dY6RVz_x+64Oh*x7yLSQ9fu-U} zA)wMRAI0S4UVfj%9)gWA*81)i4;rxolCsUAsC?9V`&&^-t>uwoNZiEU0O!Yz0!Q86 z4?7ifQ)7FTq;_;>qjyJj^%!EtlOgj8z`|s*bI_&Yeg{*FG3#gXm_t@4XW@2Wz3Z8@ z?dUsX_0Q?;oOl20Qyp&ZMfmy~v}!t#(a*kVx_!Fe+tn4^5bj-s4mr!e<#I%?_(n=t zwh*p=j$)>OqgctkPQJ{3Rrl7zROR=5QIh&`i_HE^qQ`S~_LR^YXb@C8`KuF~w~v!s zjk7m5f+AHKXmeU1|4^zMt7Fo|RN)Bura^>=zC6XRC!thZW&zTu0PvW#7l6VQ04QYU zBJf#!4MY9wDA`QFU9z1ZVmo(tI3qan5^kKK2T*PvM3U2UfU>l~lnCKCda-3wd*f$I z-$tlXSB0pn|668r1^0MN7f05GNb<+d{G62Vna->~faUC*ys{giv zaj0zp-A^~>HXmPaZc!hae{=zP#y12%LJRiB_NE7U450A*nmC*4!T1s`=QH10qB;+) zq|0=V3WlmQLl!EscaS1xAhoiE{;7!?K8Zc4;$nWwR&zYc>3iIlH0+32zb*kLEhC^c>#8rpOHR@INzYEacUJ&S4sIDmoByk+$x?_l#XUGFNH zJ&X*RTAB84HqcbTvC+E9=tNp`y(+*?hd{>oT&d|f$hh^JYCWs-cZBH`oe*jIW#-HR z3fbEZRsA+6i0DbHZVmUI`(bJ5J-c)LkV!yBs4Zucaht=;b?|c;UyKKO#efc$H2Vnq zgR;Fryu#6LU0v{Y8p>#H;i<)L^bYmgILq%%JZ1o9IKE0WiCglI#4nOLyFq;hn27|V z=LB;Uyk4}DI&?XLVv`F2E%?qv!k~?COjiDg_?-^l95HIFYNjc!G~=o-sg|R9*mWe^ z6qCQix^c9uV9_swfXkNBR?7KMe8QBSrVwuhIrLxNbN{u-j(lFgK8k>w{iKt|hqLg; zoxfguLR1QMj25$T;$BBtEzM5GxK&yZAn|0$|LrAI3QDY)MUEl%Fae_9LJRJhpGB9QN31wfXA^F2cN^wKq^3@`>?l7f|cEk&MAS zz{{iUL-TOt;M{5>&u)~4)o=SbD7E?JSr@iT=Ak;YA=>Tb{7jPU`Qr^2RQ zc2XZpdLQQ%u)i*F8=g~>xQ%PEfm!rM+;>z36|f0JJhg39s||#{P897!Hz+*>dKfH= zZSb&=;14g!zcK%13oZ-mLu~v@dbPOIGE?g)`1v*~HVtod;_6)CQ9#2*DRJxuaM)3p zgTShl@n4b66^sY=VjB(=hHOyqQq(Dtjf=HJ2X`bPY{S)&{mlT7z^~a>&V#n9K!O8q z^MZ>Hawlv}O^1vBPSm-fhY%@W#gW=^V9Dm<{?!EX7dR&wM-+m=mW2xe76rXYp!60G zKfiadJ*Cyk0TX+)C%hDTM>7zIbFyQZu+EiUV*0C(B$y9lqS8_0@2F(XM(KGdO0Pij zpZ)Z}s4v5&wVyz_SI*BuhRa-v-K6;BEbS+`zcX%;WMGi4Dqb@cH#zpR{P+F=?UPv+ za(Xj=rGRu=^+!J-DPXu|d+I+6AHQ3<8j@f2Q=qwnjNRQaen6)qta8>tv5UvNGP%*y zwj?*6o9jas2yEzuuv5dKOZJf2jg3||5XV(fN9-38=rW`ClG~wRY5~a9fp@bi=nbOq zh}b))ullHb2JJ$t2z z9(+4V4{TFYu3H82G){Wic~2#^kD0Sjp~&3F%ErEv8O-87q|G`=am=nrM*xFR>6mSt zu&0cJ(M?UCA0d%L&?`vp3@rEyq=yfHt0V{|rXl1{hNA7akK4TuQSWG;A;%0m!y?XI zjhy?0XSqke->;+e;1YgiyJ3>9H3NDhjfHNz&-v3>ZO=PX)FG10yA^gR^ry{klE|7f zk`5uU|K(A%P%-4YJ0f6YpxM61c{2bhHsG9`BjN`CCLg9^`nN4*)Lq4703&oENLQef zvp1fXc_wfwS=mSAv@ZQerfHZ;As&OSz^cN=ASH1;)dCP|RK>=Qo!`%7;@<@?^f5iW zgd$dlQ&#W~1q@WaT!qW%1@>YaQebGsym|vPDTUfdlNoWuCC5OJo^~D#88Khna3Q^2 z;+4RN_gILYe&=vH87ij=9lYPzdff&jymr{k?aE1MX8{|q)Rxi8={AN9mg>S^xiOOi z`4hre(YIqA5-Kx;K<15c=?BV2|IV2C(gwpZe0=U+ZuJ&amN!n8!bI1*aP=WNyyxZ% zzbF`jd_x5!8()NoKkYa_ez3}J?Rfa?IRC8#ybr#W2U?D_S6SZXuS*4OMhPdZx5c4SyYffZz2AC?zz8*#el@ysX9qcfgH%%g?&!$Ovt5v0s}gewdMwe%sw z`Z8Z2bVrKbcY_@bX{b{Znzf%?1l{QyDP5fY+2fv;RO4A|w)_U6;e z@>9G0{FRXU)`2xBl9B{k>mXo`fZ4~LdOMa;$g%&)Zfv9?ZZ;{<%kG9|Qqkz)XuF6p z&*r#?s9IkYcb){a`2{?;`Oj{(;Oq_K&uy@ee&NlYuE*UxZx|C@KyqK8p;w?6T7Ce7 z&LpE}EfcVNG)3JtAuLzgZZ$D{hWvpkeHM@B+fBQ)ZQ36=@g5m|5+VX;M}Y&7OG(Ce zyH(0$Z9Sf*3eXF@6zdF98UO8%SIch~>E=aA-JiiJKngxe=S8j&XIe_<%{y93nc)_m z?`7Ibt~si7av_%#$@VReH^t)mTinIXBe!&&NO-_S9x0w^iCdbkXMXu3k}!WQWEVC_ zTvH78NH7d`ZkqeI;e9Nv1s%PIVJrFKB@Zd9Pqf1App*9lX8ur(26J1RAx;PbAA3&u z*DN({1TCRoj6>lUK|yQ$2`HBSLfL$THR~5W`2umOG%t(NoB^Ia%Ew`Ya*oW;bzCe1 zj>2X=p@dEIYCNfEhte3CyZC2Ezn_1W z_ewgV>5DUp*hn-<6@OLS@tgnlpUo>RnB;m!0bujWXI4(QCS9Eg;-sIGt7f=A9Z4oe ze4tePZt+rcH2o3ReN!idRVKIS4*~N+A+?CFswiH_q6f3%+5LU%Yb(s|NJJ+7PfKH_ z`jer#$~`|QoAJO~ zANs^o}iiSB0E;a@t} zvb!t=&)Qt=4;VCjY`+C(0T6z`{%#IoQVcCqyH%Cp*^*q=@mn%@c8bvTBc`kxAqj#>BAHBbo)8jKLk1t@vQ5)ue;UZ-&6mSYHLx?;5 zX~~CE+&dUUS}#dp#vGx83DOeMkox!P(v0z2ML$*}K{>#r+P}nKqaFU-xd&yPfib6s zqMSMQ6-)-OU^M5)eNckn z&55uh`9X)&y!h9MfEK^U5e`93BcEmE?!QNj@t9p+{*w{wbJ48jM}kFX(->%!l+bDkt-b8Yb+UGORj$MW<}F82c#+QmeK zCd{s?zDxY(nq#?KMv8n10jyERMSpx1sy`@2?NfS?uDNKLrh%wd z6rf-CdWGL~M_OI)u4*JN4HNEWby8P4RItFvy>l7ZV}q#CSS)1^7K`*q3(9^tll^j) z$$AmuhSJT6gNHEB3mR;)z9cdxlmz=D`eL`NyNg}^yN{yOk_W7mje0RT@SurB_pAWA zf{-dk(VNb#oIapXj`3bjtiFHulK5w)^U)Xc2oumKT{gw3hTDYh;<~!v_;@8|S zoY%N!FkxOUo`k>QKB&j#_FSbBNEHO|oqn#qK6Y{`lwgJH?o>tUKgvX&NW$`SyVXpZ z8}A`0`h8A*Z`nyO;tEUM=yJs4G9|zql?NJH6!fP0AWcM=XugbsabW{%u(pDrzuGR3 ztr*8WFOdPEanl6o+?~A1ucloEnXUc=e93Gw&36{b48(XgG zE(+?=l$#?AJYz@&uaIbDpaK4*x%W*fcy^KL?7=wY*b5){A$X6;@nFu}~X8o~dNd?10LpnyruXs06jPq|jB@r3B_{}!G?Dn~^C|+*i3p6bphMT$Q zo)3aRQjr;Uxob#YyE67)U^_X55n#Ln3X2UfM#*ytbm5M%WB!!fi?6$dbS5na8stKl zqbm5i%8+`iTilbH?-L+dq83D$Hi}_j{cLGVVk^J}WiUc#TgmFb3Alkd7C{su{P0MC zEfJR{=XGhckaQki#`D16YF_E2-jI0qqbz#|%4*(NknIqX0|{KhXPqNLxD6>;akLqB zATH~S;~$X;B3D0^ZF%9gl5eGB@ykbdDV|p)h4KZOMQmY9I6WUMJA_a&BWP z`?ct%4qkV$qbcN|r5txlE4qfy9yE>!(iH*^FW)AD0d z&6#jis$S@-0yb8tVP%v(m^0FCf-tIVo-`!=(v`kYqL;Pb2aRnF9(;SC%+)FNJ9g&Y3Nc()*(T zfWnnp0HE;VWf73!O2ME1PZ{or_r1?UmYG*Xm+*9U>cP+HOqrHm&wz;i__%#Z&nx?6 zLa$CKx=M&8rpqSBz~jX&{nxd$utUDE0jQ^PCg$ff>vazZT~!M^5F8(uRlz4aXs833 zCPiJLw#nN9V)LgmxEu%Z(eFF)(a5>HgcD&+)lJUYT;1cc9|1C}4am?`nzPlh&y9|x zXxld=nt$BlG!B&y>Lo*@Y>@TRda+BxlZ;vsG-652i8;h#Z~%^8~_d#jvygLP2}Y;GcbbNOZA zs9Y`47VsJb{%jfJOeq_<7V_*44xvslc^<4>(7FR^$@zl&EIx_Sgnn5EAe`}8^CPIs zXDm!I#ENG&g$*j=8J>Oedvl!Jhc`<9!`{)rXocV%bSGd;MWpQ|k z@+Q~MC_%YKD0?iq?((SI+T6H^$R4~~ku7t%fH0$*lhsUPfZ;tC4lhv1#{q;i*3qzB z@Pf~n#7pBPJnvgJV|tqLQ=c&zk-`z>j#5D=@8 zWU`ZDtqf7Q3A8R@JMZVrPLm9joHy=7T*+WZ-|6H%xC`L*n#Yku3w42!AWZcA6P6aK zogjLCawFg*UE%ej5;y5}47o6atk6rbpX^LuQlMUeWl_HYeKo9zj5$%p+2-yl+4G*=*}u-ykV*@;h%L91 zr;Rf1ex`Zf6m8u2BL@{j4Rgs=oU{^8Pr+NbevWV*14DH}Ts+GvhD@O|Hmfp(LidT=8`E{Lu(O+xbPP^}HGq?CSf5n^Y#P(S{m} z!hagc`5xHHOG+YPlMO;TV+oX^XT5zO$L#kApEJ`RvfLntp?u-hp96GTgFomqsT4u1 z5GWyZ@;N6fNRh_x^+cMLEMSs>eIkx-Cr92@JI*pphw?&<^moSCvP7{#T=eq-F)>>E zWm(SToknaF#nlu^keShgH_c8?aA4tR2rnovX!+u}AH>wxHjk;p zWNE4tpLV}4Q7~h{7_<-k#xnd4(YleyNPV;U9JFU$5h=a)RgQ4RC$2EpQt7=1#WhRe(|&V2If>Q9$BJ`W6zAb!xJf8%7v3cH?o!}%tKfkQn2CxmnFcE~ zvXh4kC9X|^W}@L+Cd?9J9FTz8RzwRDZw`?YiM|7{}GRFrDW5zLP zaY2*JPi8NfUe>8@tE(nAz-zD1qg|>3ULr%%D!>2%tSDT<-AqJ?uzdyxYr zC0@7DTCKwp+@u%tr^t0#QBg7uj}>qU#Ao8F*&foJ(p8}utfh9f2ABn=g_V5fMU7;a*{~;8xHmH(Fk>tDe%aH!i=8VZtLDv#$y?r9ti{wl-d|*aHA&blEKdKZYY9`x z@K3;G$d72!d3gqenn?6uf6vD6qk!9(eq!s0&}izY@&>^u@Ex{E=cvEZIN6)M8}P)B z=4yz(#|vNsbO8EZ0r7{HqPyAJ^#n%qGu!uSDF#5Y+x_QH=*?+yckxLaU4Lr> zf9jpG{FLo?}thK>c%(~ig2hj2TdD-l6$q!$U zGYjL5o&0Me{Cvh$EpYHLhH*JIq1?`5$iT#|C)?(esY{6;e~+|^)6*O?n>IrnGpB}E z4K`ppG6r%*W^pW7*24rNd8~SKhdd*(X&pD5&sv3KN5ion&`MhI^Hbyx=q!lp7Kx|O^5X*)V$Nwad&I??08trA~oCAUV=o!L$8Hcw6*3E`K_4E@n;@4>Ho zrqqLF+We_eCAPd@P7Ly_K#uJ6q%Eg|SZHl#nIT5}l}{^xBvMe_e?hsFhE25)d4098 zT;a4#X-T?0o+>e`*}}DJMOrv?@vREQkuPxFMrFS4kO%Khf5)eKn_e+--giS9n~%zf z5)p=wUfV6~=6bgfpKjQ$`?y>^$-v{=Efqe#(m`>t#uo z+-sbnU3jz*u`A}n_9~n=gqpWMkmrCP6{smUS9z{1G0ZX#midzb!h|V9U&;z@X*&GX z+`I*6$<`eH{8zAWRYdGmq!MQZ8$DIg#>r_)g#9K1}!Y_-=P3i0W(2ROM^-24w*><`l zo$y0J0bs1kO~VRnu4x)0(4p%$>2%(;gLl_0cZ2C@ylck=)y6!G_SlZ&lhD0Bcri=% z%7!B+i;BFsUpE?sZ*v zSt)u{SY( z15S{3!X5E#i?}OLI{xq@%_X6*E&~4+JqVMcxVRIaH_dBku7*)|fizDYav7F`5mUJ4CA5(Sg0+(aItBCT8QVSVX2) zoYwoGBS?FI+W#pOfz*D+;*f;^gl@82@D6|D4miH2+jxxiKoHi|41w>pZ{`HRMb>Ak z-QvK{h{e2Nah>@?p%9^p6HsymPQ?WMbaWn%0~1HdWZC75?YI1u(yiog!?>r}#PW9{ zbsFRkVWjPMao>D66VZaiI1AR6HfQ&R#CYZDVx?fck*7 zQNiOtM2K&?)_8CqTlu`|^)Q22C2}#%%J7Km>`c=;ugmnfHCK?HgXm>@o);6o%4A)@ z8&rOGw)65(nMie{jH4Tv0*pT2h#Nv9s6Zi%tzNSy{7lK?tm@2gn+6-_$i zWBQV}g!P^R12{haOtRldAHr902w@52YTeHl^Gn0&J`(;{g|N>1(5hAMw!wqnTSUd{A8j zxfC?&$CSPQDJaEP)FxP^>O%}1J$jLny*B@R%YI;@v!RePmk4;&=9#P#TqXa;0pI7uatlpcky4|0EA8>Ni2&xW|0L zrssU72Hcf=6p|f-DE@TUk}l2y2a+p=%73vr)T`LVtjyW!JDX&i}xDgx+B{ey2+c8mbww;UB}#_ z?_*>A&c)&JKZ;f^9soaceWd5RwRXTrL%IE_c9!;lEE#T3>5sorBHla)jOYh?QobB% z9gkDUMgm7KQnQog(+q9Cv^rsBs-2eM$zH8X4pH3ib4~9$c%>TF4LZ+M0VxR8T9qMg}510Y{#Di1LaaD43JFn zn8zd(9EF76@vIUo{4VG@Q}PWh5U1(ckoVkJVwIa}uViplRhMKTCuL_PCj}@M#YbN` zG%KX@W@-eZR&X5t`O^>u_|rf*>=}teYemy0S%KzSu`FH!ik1_{@XW6^O=oa;Xog~5 zi%z>D95{$8s%k}8*GE)lP`Rv!E@|rbg7k`Sq!)q35Lva9v|X1V#LzWZv;F47YM57-RiB zdBo^y{OGL6r(v<^;q4`t71Q0jxXb7}Xb@K25u`8(0lsKbYa84($R?qF$HY>>gK|_;heyC6kKS?dLdzfdsCJzttX^p9a=db+`08#@^I- z9xD3{GR;2MVxMk-d*RA17?=8tb1Es=|{U7PT#@0oNsBH9K zaf9g=d?j@X)Kg8e)f41H6T=vl1)WM85k&E%ux_AT@IjVnZ5eMge)vEEcRDxa{JE+`>{lhhNd9F=5*EApy0UR2V-4YZpmy+QGgwwA!#JXE|#XTN~! z_<$f$SW$nudRNFV&To|=XY+n>2Y`;VPq9@52&9F3IG+n|@wOyNl+|?%ZNw0_^ONyg zX<$y0=?4O8?3}rs9~e(*1}=9FfR7$TXgpn5=-48uTi&k?@0!^5Os8x4UsW_?kDR(@ z=Jt^z=C8poJ4&jgOwmKGm;adhLqHo&a2G@$kcOOzrN?Q9c^hXrP67e40O^h( zO>Z~#NLz_A%7v#x@UgcJKUsjjr#CYTB)?j_At$;`+*_6Ul&tfWu9G*=eIh2N;y~1Y zbr*CK4F5DXY zn%0BY=-d9Bb|rl8+U-?z{j;>cX+KBW@K35d;U)5B-`PHq0s#ixk=>xFy4yG|8B-5i zhZJYs(=Ao?#+3aGonkeRM$_mWCnxV5lUG%ooanXILiMy2LU%L?WB^k-a#&2J%_};9E=x|4~3N_4LEi`W&TZ4lW?Pz z;Fz~t9?VihbDBToE7{RkBReu1!Fei$bhz}Xqq4hB^MuC9-r5wLU7Le5?MIXhS}uZZfQ`(@y^Ep ztV!N5QI2*Qf}ZW!83CnVI(tg_Hl$LmrT&CDAY9V@0o;lH@=J&)FysP!3=T%#O zrE?X3{HpShWO+}~#}!NDEdHTSTlar3^-k@THQ=^woT}KiZC6;aQAsMcZQHhO+h)bK zZQC=MC*RupS^NBfaWQYknEma&HSckgzx)--Dv-Ym=Rj+mLOf6V?gntfx|@C}-kA)o z@8)eKK({#S1%Yt$OcLhL)42*oW(5TOUNb9MN~rve>qnUWZ|BYgzQ@^tG;N@kN}oFT zyu3sKeMxqKL<{s>LO_NmrU6;Y2jRSd{@Xx{rWONNO)mpK=fakuBiGh1l4rVLYS{^Er7B8e>8kI~S$|bzR&3>})uq&uGx+{w zqByBkJ)BZ=o|}%|nlu$s-q+G;kUFHT4mOxES9UpdKezce1YA>B20Gf<7w5P`d<_n^ z@sySY4c7WW38!-njRanLn@O-KxDwd`#ce*|T7^&3W?twoag`Tpi4S%*aZvNdZk389 z(@+O2%Pp{iF7%!|d{saL2WPOYjB+iv+*i)Wm9C4Vp36qIr|$WFD1k(xxHZM1zwF~+w@+?biGT!#XQ<{Uk??2i>wSw>H0rh z1L4@l$N79YRqbHZ6>J%&7AjJMNuz|f{|ckQ!no+QR>3gC4{j+jg7-M}kRS9hRKT&h z!z(Tkcqfiwt*Tnp{!POF0I_2}{p0{JCam$utp65Tp6^Rt+y=X0{-jVbSZrPm_}&<2 z!W5im$eOocE|#l#1YbAAXH_BJ5-s7rL}C8NTUjdX^Ml}?Aw!j*LOFfqF1C1bl!~kU3#ZyFr}2EanaO)6W4GMDEriW*aEp zmy|Sw>{G{%6YXz`QMyw9jWHe+E8BsdP9v_E3l4%fAnlxUw5ftbc`25`599#ML7*isF{qeATRv!u@goop)D=Q0Dq-uOs25!f5_8jcFx2y3q6IIoemLJxE7 zEZLo>`FZMaN^FGYs~z0cex|_*%ZU@69G-3V?5n{^M$lg|{pNw3&-B@G z(?iU7R|R5TjswPTUbMo$28`t97z&t4i4nju3#>ZfIo_13 ztI9)qH=SA-*`Fqe15Ha_b6B1Fw&vjlYq!pa4RM1c2$6lp{R`eafLC%gieYZje&w1k z+@x9)m|L394D7jL^xnx#)wO}E%6`|=!HlB@1%40=JLZ-Q>QtH-nl#$@+Xt6#Zprbt zLkaAFvAVBK_lw`95?l4B><$ms#UdY3r;X$n4L41`Uq^NnUtMsu(Z!lc4FSP^7*l+W z82nwdl-Q0>)Ikg&>2k;w9X1%iy_deo%Ruut>JbBBsfN>j4OL4fDKfl+k#6EMHvF91 zGvIEr9kAAVukpt-?X<3P(&q#YFaIPR`3QN2R$ex%*StW|ieohWHN{Y~gckbK#;x`p zyxg>3>N0uGDbPz;7oC!W`iP5>*3zL6`wsW;Cx1ZgDdPf&bBJ}j#lv%lcUx5}K{tpXnDNnB@YP4Qr%I$t_ioE>^P>(Kk#7 z*mI4Y{M-iFguimlmn9Ph!mh4yLfS)#=r<9Q7O$U_t0%xz1Bl7D-l=Q?-Wg-RlGmyg2s%udT}&dGK zj;{{EdW^*hc=^GX(2-Lu7<1@NPBydLVqkW(mS7@A4F>m)vncg#ZRIkZ=y~F_)srEe zg7Goi8Z-D9plwC4waRg?o8UfGw&My=D$JZo1y$XZr% zF0>Oi!v>iHL2^zD7;Ek&V*f3oRoGg~7PjpdM;Ld&#&d?uka^SG{@`fg-?GC7aud{C zua>3C;JDuu-nMMi;UAiCV1Y>2Lsz7|{AVXT#37Y#r8Rc(d8}iMg5l%=q)^LZqk}^gH+UR!IPhbq)U4cQ z)c-ICaJLVkuOY2ofU4B^Or&U^ZeZ1??e3`J%n){A4x^!8G5c^Y{oMQQphKW`79R5`bI%&ux?|LWCa>=LZyh=8JZM2Tzf~oiY({Caw3ukpAl5h9ML^|UFPf;+4|MJ@J z92==Nt-UF!z#)_zh%5&OTE6~M>LB|rv`3VB9i)C)J-a86JCtZ4+tNI~=R_nVe|CmG8J7NiONyH4l4SV7TP8lHh2A zDo&xGF&p}-(mVRWpTpRuBgs+Ki-Be($dRvn(#*-d3~#trfMy5>05rxEp_rovuersE z3d7S9=+_T|rji#rp3{s_;V4Vz#45xv>PwBQnVtz`to}ok>T+$`DDCyd(!1u4!uW4M zU$=fd9&L)Y$49%0+hJ%RPdMB{nFySr?g|PUpOj?C*Ixqoli7gwmziT8Ww0XXB6W8Q zQMB-WAx#i1OAeH)VA&2AxPv@ zP&=frcYvkeXGDD0fcfO5YPn@4q62GH6`!hgNAw&+DbDc8hr*A*eZ}JjR0`doLYZW{ zf(b$;XL?RaT)a13tXT;{RI;AekHnE!=)#t)FtJt+SkKN1Q!h_$^2tVoNQVpwi@mSg z%n9H?fNl{`fh19Tl_aF&mYQYVO!)R zG&M%QQ%XS;UxjmQ6BS5pEClNoEsZQCe?edQ-0|WQCOleV1dU?3-vR(49ns(>|KbHm ze_yW$m9s^G*O+#2R*~jx$k7bd?kyeZ?5PhFBwszTANLJfInNeYwn zczyl$U>w#S1q%`uvIsx?NzQ1qPu#ULM>j^m(+Y8tvb%}$C1vyTFGld6Dn|q}Lt7=b zPR9ZcD=+za`l$W7>cJL-jj!OkYDLa`pc!Uqknhq{Vop#^?C&#@f6~Q!|A zK7Nd|xLP-eT?mN>yYFLqMaLPIl4fVADYl(YAHp{ty_LeaO>lCZn&ARu;pImss_IP- z9-FTV6I?wO8NGJ9xo*1TuZj?i^W{-ACc`=&xKl|UR^$~`y07uM5Uf&_lSh`!rh`co zXcjm#nv#F?*93%4rlz`F4W2OL99)3CC0o5mub#8cRhDljVrh1wS(xWj5X5w9lS3}g zZS3g?Fj{42ac%n+M0yWPusO@sh{=1HZq15>kWHc13)%RI|2b zk~w*}`hPqRv1G&apmg&oeE6?}{ol6sd>2hJ+mwMwK*{bNDY2$gPec$p9l67ZBz{PD zQO4&UN!xQ_4W)Hl?T{9sVF@jjAe(EZAcOX4vP^%-)Nh^UFdk}^1*G*z$4?{cbNlsR zBP?j6suOwN88l74Py@C1`OHxLOOhXk(Li4UN?CVbnJg@oWKAadySQC2tQajzq}P%YL)_IV2z43G$y%*& zr_Y$OUOIJQ+H8^6kY<2Le*RGbp9z5$rNBEOUTZXY1k#~m_(gpy>@Kt~hvCr4zid1| z4wmp>(P(0S-5`?>c>V~CF?qcR3$#UhTZ=TE$>9gsEOds!$R0S$&FThq7C4GFTz8_s zsZHa;!leY}8^N!d^u6?D97Nfp0FGyLYc20ZG*S_Ts|G#L=d$%{ePE~SPT)MRu4p+f zuS8(A^UyXFMQxX^Y!Xt}(8#rmabJZW(?$omrEaQ!S>7lf7DI|OpLmB53pnod7)*hl zr0xB0S^JR@M)scB8|xQXoISMas}auKt57YXnrSqvi7a!p&}thNxK4vVnT) z&Y zUxss_+8q58-b5#?#Fp(+S|AUw;1qqyt3%9O@2>FjV2==oaBzKXoSfMUpq%+J;0c!j z=>j8|Iw@445=CHcb-}&WB?+{%dh~iXpI;+^JHCV@-+#J9FomLApbbDkjVv?4Ma-l#f0@ zd{ouo%Jv(0slDQ}Q!n(8RqNeoy|+P&e{$1#dxC|i0{u^X> z9Y(*kumliNe7qeXe&+79nJkQ(a;jcu8+OI<3QYho5a`nG7z#C8epDa3!Ck#In!fga z2zUY2fV!_M-){up*S*Y7(;a~w-}lcK`MsTQWbUUv@a-F!OMlfq>$hhTe&P-O(HUg9 zx>|ejQrnaqhcs59?`G$awr^-KAxIRBS*AELfr1Q!{mnib3KH?-uL<}Ow+GtCtdsR4 z$TbWPOmPJoR=|*ofD~p-+5`qKsPT`UJm^o0Ei$ma7R>8s#W}wf?18NkRZi#`4up9kKWwp3GUGc_Bse3e_@%c89S#>(YlFtmf zS`!Ad4$Uy?N}O0uMA%=VH8g_m=N*Fnp(vXlbXqzrlHq>@*17y{^) zP)k*z`H3LpHRj33RoFcy3V(Re18zZ>4{Bx*W~lJ@{jqX$THn|p(E~eODuGRoHtB?7oL0PbGK>@a~iZJEL2uT8)s~cO|}}lqr9Zb8VrP5 z)|@7%LiyL^oWs7@{vQ{;kwMaj{ON=l10(d=w5ZPO%6Ui1m8dtCs_c1CIUWayPT=}R zi%Fr9dmR|r_gqkw0hVHUM+JLwbvZB)-&ss%Z2+9p*C|baOyw#cmL-Xg{;3nJ$X%1( ze3F6)cJwLb4MeCJa^X{Q&Q5n)UA%l$w5Ox#hp?ZWX#(cDzF~NiO(QXikIfCH%aw}M zq;^gy&JOSB1@j*I_{2E;`M?oTtEtm;ahlq=aG>x5{9yLUDY+d1)bwDVI~E|A7mh9g z`V!#=2H~VO*fZF>Z%;SW7ys*XVpn$oLN!|ydupCKjT-_y;7po#c=v{94T}}p!hf$^ z=T*Z@nEhp!kI$Qp_(+}Dw|5BzEDo4M^vBETyC^QKrC#LF^p1gB!5Rur_3+v!_U7%~RuLXUQ4m zuM$XxrdbY@vWy?7hgfp+-Ze25#dF(bCmR}8y8EHxy6AFhlWv+b$Is8$!>^mF^_dE) zep8Os7VpoD?~-@W0XeOO59>mH5d}mp2cdg$TA*yHG8yUjc(eHaKsRT*OYexpN+uJ# z`m?!Z58cJqC`>+)G5LU2r8VU@cgdHoYm+$i);gHZrtCM$D|f6Xlbq6~#JZL3S7+9g zntJz%s^SZQpbv@L`lrOsMV$K*b4hnrDY=Z=0l}b#Q;TD%e9Q=XPks>4rE$0O;0f9s zxNlQ^HHuY_9qLAx@0{XLS%cH`xR#SCe!T-yolF!;QNs@uddlOqpGe^_DTe2{e@yVd zRrPIHj@MPSh2ZH+mHt(w)0(_iOg|aFf=6fd2R zj^&~CX7VHW|1s9bl@`Mv?g0rBa!k11oOmDr9EXK)?f)i8szvgs zs78@L9#yeginYaIn>G8OF+DQY-R&31SrvF>-M8hbEytYEUnPB4oquXp5|mb<&K_WC)u*S{Q< z>HcUsS0<>Xy5qxgle%BMGO5zwWUlXHyn*K6y(xrWQ_e)>YWWGVdS-}i`kHRSzbEW9 z9JkHyJzpIae1RkcIlXB^(MB4@8ArjUKBbYdo<2ONnr~$SwImxI9U@^|Lhkj|Zt(VL zCH4am@)Nz?Y;Q?nG`B9+hob2g+nufAlYS6eW<-aAAKlQW-||Q53ReczEJ-yeiZN47 z@R2<|j;)FPV=o-yn@HbFLejL4E2HvR8&*zi`JWrGG=nIcN$y%Wq53CmL4=k?f;B6zfMS}*k+10 zOQs5ccw;i3J`t`Nc=O`w|JsIqcD;Gf?+MUP#(FG{tdp7oWzm^wkRIcPglzv}b?9sG zoEol=*23czfqh}rmciL?OuFpo#;T_OC|M0}qJe^N*Bsn}@gpEs(uWwN>rem3bA?_e5lkNeSBSR=dSbjTE1I7+RZ z)!^nK(KbWuAH-J=)zW|CPIBy{oc6WcIg;gcD(cknxW-}2iKSORdJ1}Fm|4q4cqrYs zie{*=?L-KK^=r=PvDco{Nz)JO;e?hOoDajI=J%7j1@*M(SrIILVNnLFX(|_Y_A}hk z99*iqo;Az_QSwV8THaxpKXToZQ!5VMC^G&Rv!-VZA1B=fb{{cv7wddvZXSrY{L=}15?Y*7AEW?Nl$8v zQZgIaFB>(!vGj4~jDvL%PwE7X0XI3(4FBWSRG%=4Tto8oT`ZdLU)v^~?2qs`tZzMi zV)E=twq~j4WF)PB7d34XHuMvEuGe0p%NHdhFNId)M_n;i9N5N(bF74*{OQiCv!=kx zwqnncQnW(%)!hy!S}(N+XHXe(ilCJvoK*?4&nprCsvygHvtD53YK9e~GJ9_K+DL z&wq)lGX5qzEI6HomL1iCv~JY@=<00_;T%xmy#RZM@H4kTt-FN(F%~4u{$nhV<~)fk zr4=W1?hk>1T4(8D8}zHJN3bf4sRSe^eqOO=X1PqiX_CY>2 z^vOk71oqFs6v1G6RWYVv_SjIWL)&pNlYr5yBPVm9Ge8QWBXIE@iMvG9RN)E-@T}pX zTSF(xlzrZX#?>%IihQT7=TJ%Z26@+udDg`~O%_w~v26W$6kANa1DXECnMuy85}|Ap z9Zo;vrv4{wRr*d_QDbpX)zh};zE$-e|EcP2`-IUN2aebNQ`OrZkPnN#x@g!%*PS-O+HrP)XPBRv>li6utin8@Vt_#=#IN;am zx=Cd&ALI-(3zq0qT>cX)DFw(07j_W^;&>#nzEPVp2iM-U&#=&FGQ= z4d|z#T6d;*Jj4P{c_jADKvN?bVBeL7BtzseO>Vb;=j#3Vi-_>-LbiyZ*s&9ULzRn| zSpc+2V(b+h4qJ96D64&Dorcy(jW_#4hy4&$hKC|ITy&qWc(iBl*7H?{CVUG_wMTMx z-$HELH(?@C_WpzjMbdHRO^y|}B~?{dGuhUQn*Z{X&;6gIHF}T~)9HVb)?pU$+5eK( z0DXb_ag~7NcIh4!>q~lv)B!cYpX5p4oD5ZGAx;G7B#plQR3AT?)k!mrJ88USx=k0Xl= z$;B~lS}qKM2JPdrRJg7D!w>OK?Zfj0J9idtldMk`qa4W_X=A^BkhvD6$%rccd?3~< zu6-YhV&qR6mSP zHh|`6hy@&?r@~kC5gsAgmvl8id520rPpoz2AdYQ2h>Q$oFGF)NuWyI3EkoUa>m5=b zcEyU_@_Wqa)f*~15-lKmZmT!ZZPT*=@A8%3fSc@N(Kg2JTQcIerka>sG?}&(to=Il zog-Dai1qL)=U2~TZr}LwzJ9(C&j-$lW7K#hfuG#^?n@Yun#;c)Aii<|e-Xm?fl_+f ze++ya$}=9kMtpe;0_jaB1bFUh!GU6W)Yj}cC3{w6t-9tDN5ttoZsE`0kb{`x1UvT7 zUup)2^K)-BaP=E~xc&E`oa-nL%v_4Y{$iB;TLX%6O2Dhn8JZARq0H3i#qI4hTUyfB ze2e#3fk$7TgY}iI@mBLF?#yznDYt9J!B>o_U;o8PE4c^EO(!!sd%$bp?Wf_V?_KW4 z%uB9!04uU@wG9xBOXe?k+07lF#PITmO_^fYF|#`lNCE(4;s514 zV3V03v6_i9gfjMhqr7ST{;7hRzzPC$d`m!+fy8u|HrbiCuGzaw)w$q>5*VF-HPkD+ zAet8-VD*e+_Jp!vz$vIrETK|EJiC!m~*yP_F3`oHEqi* zhhw2cqc;A+<9g=r{4fGm5Q!69Q`>KAvRPW_DOI0*H*{&!N z)Rzp_>lzo&8ZB+WA|6Bi+;bLZJnkoKx7g!;x(6uM%~_*%v{hfC)->Q4ZWtqs>)S6i zoF9mh8E{$t#eABYFh{jRC!{thtQj6r{o4zH}|~`=rIM@>x@J}di4Tl z@}W6S(Y-xr3VX3~7f_fW(@@U8)(JsFerA$kp1BT*vc4`vo>N$GC;)6u;X}31upD;I`RW_PV!ROf|?rtarWD#&UYm^<_n_Oc$`3i0P31Mz9er8#yhEws(B-*_{`zYGnwaun&GVRHOi(*N z5z|bcA9;rDtaZ=ZzAqFOkDN^XfB=GWn!oe394l)gzFSbcph;-AT@|B0>q7qv5p&UV zG#$m8Z)*@cKqRk1!z^q^%C79Qz`i9&6tm~0mualzrMJc&>1HTa2a=v+)A~--*uIVg z55=c%Xz9tqqjjj3vu!?EV1E?QHBa1u`uX}hF!NO(EunQGEXq@q9tKcsM2CCa^^X~# zK@^;QFqbxfe;n-UqA>kAfQ`Z|gNyrH{E?-D0pUh`>aSTo736`cML=1qtOSFfsgYt14(ksGTOxAy38n9T3ZJ#!KxP*{mClMPohc44- zy*4qafsUgVPpg6m z2GpOf_f8o+FCCkX94)stCkoFOB3z7pp5SVAw|;wzd+CFT-b2t>r3XAXrF6f~CvQE> zlDLm*ZxnRx!;*UQF$a!SZ-Efsfq4*MVK|@mpNA2t$gi8V#P8B2K)~y6e~lF!*s2J_ z6f&KqIR*y{lG~FH35TTM%igvoY3@R zJGYKAa2P+ym+m?JLv>Dn;rg!^t&6Tou@74JK^3;NeyY?-F0gvF9#Foj`E^{Cf|WpO zx$2~=lqf=BqteCm%+^p!wMFs3e`eEn!y-fH)zi`|0nJ%?CIZ1X;X_<0c!Ho8#d-BP zv=|6FzjV(Fzh=Zjcs@1b|8_=yd8E4BIXv93hEgE|q|*|H{sFb5S?)$L8P{wvyr%5b zL3y(~j!#8bZGV3eusa-Y$>Gd}=aYK)b3MlAA?Rne_m%%@BX$N46Lps7(Hzt92h-R-ZQ+<5&28Y%g_E&HWcl0j#-?1>6dlJ-D!fR0m z2Cu>L>Q=3v_-I$E<5c-|i_HksI`OdR(DpFe>>3~E?}+uy=n2l2d}!te%bjhLVM?nC zDYm=E&63e1JSr4wi+SeD4%+kZW`^d@hvZvaPbMx-I3cH}RJop8OiqH;ydJDGqbn-aUXaJws={K4kvHX>iN za>Rj<+zxL!=7|KSAc%eD}W59(pN zgFQu1^pI$lz_|Ur{gV;Bi&-4$Fj|9hcOJ{7v=ZC{I#9}RIK-dui;Ud21%l5a+QJFy3+3GoC@H{YJ>DwoV8H)%HPc~e}8 z0*8%l+grqZTP>(obZqsWjKI$LBS74yQdKq^r$*c*Ph8XqXudgQZh9o~kg53e(txl~ zNpKshUh_r~{5#%#b0fwrTHC#l%A#`pngTOEMDTh*NsCf5$Gae#{zU+OzbaJ`D!epd zg%^G$?+^@wxixCoxUje-e1t;&EtGgV zlvn_GSz|2(u1U@9U(bc{5BrK;PZs9As&L2?&U+3P9_5afztEiWj-mLBGG=QE0?{eN z4D(1+^!?Tn=(&%*f2!$+6f;o;DDyST_JeS3QS>?3UiRg*rBh12>_V4^?Z-!2% zK4xANP_7ychOjmjW zKNNNDOllUgh0QDEIq`o>kFlkil^u8}@WWBpnf4>I`0T7Pao)IZW|ONDFPn<+ob4M$CCx2D}q@gl)+zecn(qZgF}! zEg0BJj_$g0KYe}+YAEVRRrYJ-)-9B-#SPcGcRj+tT~ z(DDS-svgMacGngJ%*FixUZL^5-H6=-ub_NtAVW81V5!8e;|Q57JJNamrJ#(r?ja*` zTxo3e4yMef38|`0aor(?>@>$I)lz@S%Lu>cw9HKjQE9jMI3TOOlqMxA@JvluA5vIJ zajH$=J{gCBI>%4uJgm#>=Ohm+Zc!j6sAVd|(_aBo-?@mSK(zo7?qk7tw$K4e> zv=3`_=_<1@dA%yeOs0f3ntq&6SnXM4=j+!ng#=HpN?Z?87iB$N7x}w7vDy4-^hJ45 zj54u?&=t?cA3G2pIe#}=OlG4(ib0bqUPT=2^(ugCvcFi%Q9a*gO^>hALk6hlUdlNA z#FcF?Nhg$jdso=Ozb`6>-*N6@xgFgZ2Z&838oiCv_Ze4iH|ITt{IM*7=<9IxJ?_zW zpqY8r?db7Nl{zCNJUpk{8YP8G8@m-P9};?rH)q&Lur|)BoFGokw}!~H-(w5AS_5mB`~>ZCPtsoa4Hxxe3Nso9lq7B1>m*a)4bJ{8g3 zkQ1dG-cps~VcvH6vtV3!Ef&#%_SZ>PrF6Fc-K7EMzPI_IuX)JVj&v;^aWPnD}7l%R?-_YMR6;=x8*B!p^hXMrLG{%8nm$QAq zYBcXJ-%R4)Ds&*%=&o!E?wRoT8m8lQq(;TmI}+6WKxD!8U{2V9GETLXVW5D3o8l<& z3lJU-?8v_F<7q|h0%I10jLhzI{^bg8*>LYALty}l^a&Q_!@KUOr#;oZ8u3@U0KXc` z1{U61-Fh)hG}1^}M;-oA4MTUc^`#u@``iXE)IlzG8;&zITIO z9K%3V-(k*vt_w4;3r+fJ%Nf^$ZXi#DZR#x$^#c~*+tBA5IydO3#pm;O?9^oU%(8ER!+po~VP|`y z>j6B=ddDq%`xM~grF-}7N1TcJGNnE8cOJI|!CV;f^aL83ukm*!=R);(X2X4*0Bj@3)`4Bh&*>H`3b;s|1oN5W9DI zqA)ljZ=Y=K9Zot0v(eD3J#TzY>2+zmz^_(YD)j0iMZ4wA_5Q_`r?byX?e zjQHF@yHG%$iV-woaZP_e@EB?n{gyng5k1cK{Hwpt{w1-X_X+}x!lIT(>v?KleK;uu z(5&Q=3R?O>?G1Dw9SeC1?1a~uf3#x{a5W!*j>gt==#7`dpAI$8bD80-c^_NXADc$X zT#GeH-hkJdWUBgiDIQJLv2X?t^cd08u6PGmf{BFT=^Zi*;BvP7V_I8k__jlMMIYFm z&rL|jMqI%@_dApg--9+ZGk<^3+}teNUgO&lyw2|mFuE)A0RHku^C}@|`0jjsAi;io z2QZtxr;Mlc%@%K+=t=?HuOlZwz=-K9qKhH=0HuZM$>r5fwItTN8ajMU-Tl#gw#N!V z6XoHZPC0;G-xl{Pk^4~jDH}ViqMDa|q5-nZ_MzaF<*aqLKdT5D8{`46i~=Q;uS3qM%cP$x z3GtG*W=ikI06mx_LnbZy(8-Y7(26HCz>1h)OGxWUyz9Z+^(0?(Y0Hd}EV_bbac_AR z{8;$F(G9fkA>zsF)5ZD%^)rRlGvff$8>F$UtKS0#daOiwqlz6~FFg3ARW`#mctc!m zpAh{pJx6G7Jf)wwe?X(+K$*L_tzX4JoP1V~?P`ezWC%@3UuMR>^LFgGLivWNJ9z9+ zYg>gY)?*}YUk!3;QoF^zaR2#)#iB|z_a8(02v!B~EO?FY>rl@A-$-8_PuD;Tt-wnP z?|n^`ZFRDIvE{YqU>DQ+i8iU8zkNyv6jy^G3Y5356i^yN0hSn6zt017xb@fggo4$o zUFphf=tJSHiX_uRkY6^6@kgXZt9~6+{9&5;3o7V@E^70$`B2EUPD3Uxygdc?ha$@N zdNJjIGe}f)4Fmvxga77+i{NL_T3q<>Nfc4AAGCL9a85+o9FaZ?p(h%U#JmDymtH7Z z@X3WrxhmbaCYXSRb%tB=VT2l<)ds0y^pqEiOW{(PclaQfSg~Mz(83bTN81_**(g26 zNG;_Y_Ino}jl8Nb!+-VfdIUq^sHQs3z8Ct;6Q*A^OyV%i4OI%s91tdtmP!YbAd=Y% zE$Wfxr+q*gq(RjwQRba#*>lX?Wo|tx<<8F<5Om;+&x4}`-Rl#g^ z?BpavN$Ua)$imTA0R&1h1CFVAyb8O7{1PdwCAtGewDTrud*vaH3Wp3AY}rf&sJXb; zh_ulh*igThHAoPsLs z6@S`Vn`1$#O-N{JPcCuWDULjs4ZqKp(bVN^mOy+D(nzYp4v$37Dj zh^$CoM2^Ej)k6lLhgy@-qeE$v#Fw|tUr7*}qanb$6{`I~9_2^~30?Um>{#|Ylq^@I z1@k4(hJ@bXJB8lmWV|cxRQ8{iyvWHP1q)wKm1r5nTmJ>dJix_T8{Y!&qd1z*Y zQf2iFK8uO~DM2Gjk$%!zdB0E%GSY)AVoC!t>`n5zzsH!hPxGAKuCyD%1fD3VPXAhx zrJ(^zhAF7EMaD^%_|!w`8%QCi-ELwVFexj=(8^G;8DQm5I54`E%HL8NZH0-f`nVvd zkU9giJhEbdiDFyQ78KS;J#a#8q8~qIm0o8vs-ec5xKbCNzzdF;c=%hwtaF+&at&F0Y(~o^%hlL}xlj&4?P?lSm0?9<3X@GkJo%&jN2aq%b5p zr;ciEHX8Sj5AKEQHV-aQBjRKWnP}RYydevk-0&Z6P`SNYXsi3&*G2xj@=t~4={(SI zlN}q$bK;5L5UE+cjLDkV>{k1tty>$DEl1ykg-?@?yiAHr7 zkg5yP)fctQz(6l=JqW|coZHb&Paan$BAAul@^A>7ULrLd1Lhu;AzoQbBL|_Bq3R^H z$Ps^SrZ`b#U#(dmu{Tq{xYg!vVU7~K$@h6T^bpAH31KrJs{u5G+=Yyxw7wg~?H};I zSsyCB3(TW0`czC~Boahpmfx!HehhhB2z0PWieIGWm%hN)O8K=CbK79|WMS=KL*uQTx`i?WJ{TBSQ#&IPe(U+_J^7i=+yl=cJ z@T((XIuSLWbUk%DYqwNw`%#b|Q+y;6gtCoMQ3ELCW$R7=py%w?*dPSnV)>X1 z8h@$!DDEG~ZdT|gn zL_^gQsYU;$t|Fz(y+b)g906#qHj2v(Cq;P@ibi8|@qdK%#dJ#G){6&aW?h(Qs~F-; zdC{KNrd-0jtG>wIo&8GRFvaJ%7#UaG)kFYfuB0wOV=D(E{7%livEs{C(iYF?DDJR% zbdqWAraH~Q+2AMo?Em zLQrVeu^AzAQ8>wNRu%W&;;C;lK$(8Z89i|hddJ|*+Ne!Cwt2_4&5mu`wylnBCmq|iZFFqgb~>3n?@UeA zSKs{DyK4X5x~_E`Yn{1#G$Y@BpP##H#z8;KqD?0Y#7Sd+O7W348V7(EjyABD@Z>H< zM0ny^mo^DN<=wxb-4iy08)ANzgeIsPg9d1rPb%smlj~%~RYm<2;6~F*2U|z&<#4bW zqo~X|+j$!Nz(-p1sinCTC!PdC)z{$dPj|^>9s2iQN>mdL@Q0nr*(w3V>e;fwdfN() za!M_*Hg2ANJ_9Xchj0A@PX%`guIXP&YBmGv37b5*_o1=XSr+vRmesycLVAR<)eeOf zcB-T8R$DcCcIn4-3q6)^QG$igc)ENnlj!HiQg1^nWV%eH?Re8Lz4bee`D_;^=%Is_ zhj5-#o%y$6uV-ro4fHF1@Q&KQt^63@hIXE|{yw}>eS1wj)z3bO%X%wfCF9`3&&}_b zlCZK?RI$6;@@IT!sPfRN81rTq+aS8DxK38lE{4`=C&xU%xHdLjyQb+(aH#1hd5von z)J%k=IlG}tbA70*-KSC=Sx7GDN?6{_g7ca~`}YZ+qERJB%|5T*>xAJBFpSaccaL)lnlbzYtLNctXS~f zne?Tib^1*qkBA8S_|0Mf4EL`$#_067iqs0nDt7nx*22pU`mgVQ^EZQr7z~f4%(8_d zrQ0~b>mD*MQUTb+H3}{ALu^4iA7Vou_nJ<$M|-;v__ekP~#C6E~zDRm8j?lLxx02QUMVwYwO<}YJTXHcQ$2A2>XKc}l(T6l4G92y6k2vn9Q$+x4=C7UJ>liv00EYltS@36DlA7;B5ht+AHzSuOF#Y_6M|mvi5l{X^1V#E=p?LwdCj&%_g< zggM+I1P<-<`d;r&GP{k1DN{C3LZQI}*jC)+pZ8WyxS2B(v3+318wiUiK~o@7y3~}F z!&lY2V64<&`ptL2yj~Mg#lLHx`#axPbKk_;OSyj7d4o$^yJ7r)W5|zZ8#ph?Tot&O zo%Q4SxUQL{(@S0hjYFPSN z_D3Tc#S9EH`f1|e9S9^YnusHY$L|u7B0~d>HZqJADEIVR@X2TGrSE}}@aRMNMwlYK z_I6FvKOD4_i>@BY9W&EiB7`_iTDpc!B;=*{^|tBm{=DcDuB~E@~u$x&vBjU70^U-WZB@xAB!c{6r$McZ_KW?aHcZ zJg|Ak15ff}pRE-mp|cpX4EXzkmbrE*8pJ#Ccp@2%RE(Dei-NQ;>%_fgWv8OA^C(S8 zp&T@-HS5FV@j+yTxfQ*YTN<=C#;N(i<4GQjUz7vCbM<N3h6EHk$bHO)cp^9+TuMwc_Ydw$jO;WKo5+CYW{unc7Oh$&C5>BcHT?VIczXG8FFO5y9Fw|4iV$kjgRviek0X@s-_-#Rz zJILEL4S6t9gKQ*6$(tT3RUu z!l-7-C3m519?BbcParpRNcmLGoS?q0Y|orw$qLgA#XQqa#IRSPi3d?s<33+qb}%LC z{uc)LElnK`D>SpZ;ki0w^Ef=$wYog-d*L4j@hCf<@nu#o{=j)({!3GM9J@(@Ft7fERAl=1Zj2YZit5S zLBz(GJ=o*|R7b(8qTHo>(gzVqhcQxr($z?#->B)g84y#-C&YB`Em$1FS4!!rH|x?S zBGM@dQAD^b*m9}s;y0JwoNBttpkjGnsxR+C#U<#5kDH`#F^E;-=Y*M{N?0`OymM;O zB`3{8x38i4xL(B=;d>u>P);sdG~oMl9)p&gOgOxor;nLO+aJ@3RCJzG3Tg!{;bPm^ z$rvj5{(dEcvIphb=ZL+IHFMazGY6ss|ZCL;#zCe?E ze3((2jM!jmK_^Ya_Nbu+zt6=?P9bg5r0K%a`h4NQePMlIru5|8(y@Cb`Z3#^{MZ7qC zZIPUVc5S*vHO*E9=bU;P#s7FHM+JK)Dv`t4^y!H<*7FZ4zYbS7HZF}uo7%MA>NzuA z1l<~}0yRG;vkLC2Uu|f+A{vLC^HZ>?YxJ+dH}W&ThOO?lHs0-EJMzb@a{r)F#bOFo z)j4uOM_iZ+|LxmDiPrK2MxG6Fb(BGzP~`=tmL*(abpkC;;TW}cR7IQ77xnsQ=a;|XsHl>T10&q#H9d;RJ+Leoz2e1w25oz6j%|Eea?$13z-;$aj4X2 zgYxFu>hU{ZT1SqluU*{Ubckgv4ReF+09RXITij(=7V9bH-yO2B0#7+2{}OnDDp%}o z)v27@@lPwm_uwbt0^jJTQ!^O#0Fh{rlnfiv2_jb>zzlK=kYby`RCjd4i*B~6W)JLPkP4# z5)x?R&_jc;lvpl7>9oU$098(mGe}S9uKR`qmFkBkK`>Mt#0q^gO5k)D3~NNkozlo+ z$l5`&iaj15_}vGGe0|Gd8Tc!*?#oRZtD{o`ja0+oX!WSlMQRNSb}Q~fef+&}BxZmU z3yY$#!ze2nuKiP9mi{I+Y0mEL3CLvDd7ehB{z^>OrCm7#H0WSH(?N9?X4qwGmH`B)r zda?fgPEI$P;h`#@4oCXX0yaK%C}Hh|`PcvL?Qd@^!?qMKA-0mBIw|I{mStyCFEo~zD$(!i>ve1M+qc%$gA|K^B}N6eeY>r$~f z9!O_DUCJwdO|{6YGkUwe-6A@)#&;{C*94f2G11=KZ;!RB5wqctXdo3Rd!Dipdroq^ zbT8?RQa7pPOKuUgC}h79Qaq~0_NMOw*Z|}q5}k&O4?8^BHfVOeAi!m0xqCd+Wd_jV z$Sim8j$3$-ob+Gf=MKGGU9$Uk;#*dCy{J0lyinalHp1nI#h3ss2rH`TB>_6nW|*aq zBL?KDvf$f2Zx@vUB-b(()j`brZ&VqKga&XPOg|tXExT}t6Ne_>9sWF6I(g*anjz}V z<-E4TfTwW#QN;ALAW>-se<#9h0x~-Tl9-NMrOFR36Q$gC5$r4`&)C1Wh(qC@FDg%Q zm-QU5%qjnvU8=-Y zc}w5F7B43ywKBcX*uo6^P}Yyk3@>QW)E^Uxjo@rZ*(r zsTDFhwAQ+wFU|jo?-Wm3jxft;bK9neH-mMUg!4E=BfX{yT4-$jE+Up+68aqk{zYZ|d|ZEWY$Y4`taoa+IC%2^*1a#*Tu_8?D-x#{nsiay z=^R{D#NweYHo7c}##62FX?0Ucb=8iCu?2a&C-J~zc4%Xwj*4sSzm+-z2(auwS5T0j zA<;~DkYL-392s>XqetC|RnbFyFQ;zZi!H{$EA{nwRig#nNV1n<4V zJo>h>q5-%Sj3^{t(_AlEIx0bq8`a3dwV0O4bq**3nJ+{V-?Gfs1irCh1%5hNb|T-u zitiO8WEi+D*$Qd@!EX$0sJaZ7Q$9xtE%KTJsB9 z@a{HaHC5P;znnmP6%^Q?Ddy=~pn$|xkl!VPuL9sZES!d4|2*rmNV-@@=6|XD9B@x* zG&>ki=B9aDKa2^RrE1A#JI1RyWc?*9x{YLn!PiunxT>5u;=B zt(e$DM@H&e062r^Mz?CVYjilm)#niv;L6wM3PN7TY|?niK2z~`t3U&P+T0GswyJC3 ztW_1^tW7m4f4-Y}lzKhd%Tgp+FT^sNtrcm+F&!h{`GwgXdHF@tH82vg{S5Dl+{|iI zF-4&IG%pi9i=L|7d`S<&NY}zdWVBL+hQ*?U2lEQVV^zGT@F6Zj9%Q_xFmFp zehQjLV<$z)aNWod93TKo7LLO}X4lmV=w>KXC z%!~U704pp7GP+l1f_fn=6O@sx)a+!;j>0*iTBlbKbKe{ud_>n%oIl#Y2o z{x*MvM_8+XAT}JmLY@`dm^g_fUPts0RMZPGN)^!z1FGf-v**oP)K?H?GPH3k_@w9p z1^S(^q$3+x2GbL;pUtW{{BawLsk3ADYit(AD5EbeSq5foH+d>*Om&9-*pL=kfo1apCpiE(+jNLs%to2bo}?uq3VEZ6 zb&m1ZeqSlgZ;zQwXM5~eYhsT@s8#xIP5%=?eb9@~M|ktYmzeK{fZyB??6>mt5MRx# zYZ@Nt5rN7!3H>YEZ1n&yuL`h*3E=8ds;=WLjT^ZcJ*Ql=eW(UP%I;B((XZyxe>w6K z2p+WX><0x4NE~VHqv1ytdg`R!hJR`mP+zJTh9_8cXs;+W+pel&=+n8!J1{V#O|uh5 zih`{9^K@PxA5?kO6UV6tDsW^9d9>04x0Y=6HyZ{`h?T~5&aJvsOOyN^R9c~^q41; ziK)mk&%k)n~+CB ze0AFp+W&ZNn|*a?K;i~5r5DBy$Se~ku}N4WC9#c}z*l7SjAK9gn!yw66o4P|LtQ4# zJ0l+8KBY0!!O1Uy%|&i4&dGmSjXK}pM7#N`9|&g_HtsOW z`s2|LAh_vNjHS8iH&eF|yD^KjGo-0$t!T9^wBvc)2~8t#Z-9Hh{+? zk}0qW8Wam(2e|H6oLyRN^Y6nhz!W1O50&?&Ql#5b_HKN}&=mcimP!eW*p_1!1b414 zOM)T<0|DV9wGeNANN*5FIkm`4EDp{Nmosmi_D>u3$KQY}q+-czsPM#*&Cqd6uthog zSWYHVEz(HYa~YmEUq_!NbBkOm_Q2DGt7W$Id3sOmaTE_<&D>0A#?h0-KoxsVT1}%H z){tP-UWhB;MJHv$uwzD4MKEwD3C}jEpC8*3Sx-eFi?1hE`3@>*XQI(y0xPG6@9hR zL^sB?frHr&Z7>C*{?0H!qUQjSR3}kMosNs(M$U|zWetK|UNUEG`mQmmF5bw|qK}#;EpfEvRy8p( zK)cC@Jm$hH*BR&y8!;qqV;RmZn;pI zz7@N4L>d4S(L)E<2bsot%9$E02~TRgI_`t(M4&r!qV;X*6f`*u8A{4(ugB30!4(Y6FJHu{@ahNdER z2vO9OpRNvQ>7&RS-kc+HUjgi6L@4)-5S*EKgKlQsdtQa)Ajo(r?;)Y~CWkB$J|^)n zW{Ae6n=aG@Q>;3yJ6QE;T142rg0^Sf&iSDMaku%U5+y6X6ysxec`3cZCq%fUUAx}8 zWv8KaeBdIpD?`T=th=7sRjd;8pZqV{aeBmQoEj9d7+ZZvq>4gDDbYE*-AXTf}_HxKU)43SwW-VTlRnLKW(_)4Lv6O-;9AlX2pDMv)u$ zw2TtZWZt3b@$7o5);kZe0wq~3<&HYW2^(jR>Q+SOa`TB z?@;jC&5N|r6YWNntD@GS?(LfR3M+Z9MV99o_Nk*?G>@9Rqr z=wW5N$&N})iBapGIO8EYa2ZSUBEn8YNbe>U(=H^uvY%p7@Yrss+~YNGRIJxG2n9_!b8G*OR4(B|Y`F>x zMxNGGlb0|%&e1-bcY^yW#w}dqkWd#S$}K5q9jgU2Ia+SG!fQ-AVY&Lo#=I!*vs)03 zOi@@*5C08YV;n~nsOjlu>k}Ku3|O8%#2-rY1O`cKoP);gU>mq-L2AAC;Vb4^rj4Yk?AVxUy_EE- zgS))OJ#H94nvL#tO&_7^&X;4eSo%zEr+{-_a<`At?vd2?-~FZx33U+oU{`53u+~>3 zIyS}h_F=--IL${^=~2V%kUp5eX}5<~wP}Hc`fbCngYD8yg8cyWTzk z=QINWv3qmBT89o9J02aop0kWs$fOf#It>=wn3s#L8?kdZ5H<8K4?S(jCldgWK?xa< zUcfKjh4MbkhfB`}y($2kboZwpJcCsq2ikCXtdXa;L0oM}Z0>jgZ@Ty%R2BA|;-mY9 zvqwaCz}el4XTo5M;<9hN?C=%6!@ce>KZ2;@YydAXz=;Jr+2I?jZ>A2xo255~ZR-I{ z5*{FpP5K~hu_*FV;|;ZU4c?3lAjR*{GfY6~3_L@(u)fef>f3rziCT;oL8Fe4P8 z0v0z>DAu*HvB7G-5jKy+gR80+3$G3J552-j!p}my98Xb0R6(xlVgIt-mDEd#fQU)% zB6H$1Haj%@B|CAVgT@%(i*JK=n`;hO-F+3lOOaa3e~WUp-<45guNQ=Km%UM<(|SX$ zMLa4Nr-xs|0hj|MFD?n3dXo4LqklEpj7Bh)=Ipwgq>5Pph66Q2nO`d5Jy!8#2Z!h4 z;t&xa3d4N2?7mhv(neg{IpVzifCxC7_CAsWTcy%T6L1{@bP$VOmUoXG45;ePg8qyG zJq>xpqUi_qG&QMDW4k$*DV5t|de3kK3LT|VUw*NvC>6xmZ;kW9^-@yczKxw*7vt7f zXW+CUALqO5X(FW`9A2Hnb!zota%vr^G$ggB8g%K7|(dc5Q^gAT991UD=l^O<6bNX^dNx(>9@gZ+9d1`_NU&sqi zN6i_rDR%^f8@-jhh;a{SdY$@Y^{|(i(5(fTnHdT8!#WrJFeQ8j3C#a%aJrctE46l`!TYKWN%qgm^@^o>OxSyq+Y%orU642)j;v`fNw$mfI)wZc zf)5~!Q|By!TfItFe`uNdo+rWQFGB6i;`6^NDReB?RV8S%)*6Mo83?a^8iyWz@;!Ca zx&2<{%9W~=RR4tLCXofcBpilr<(irWZY%b}xd?(9+-RX(>VH+@hs_^I-1xG07vZ+c zlnzOSKVm)aXMXL*8XW_RfFQ%}_Dn-2r2{bJC_u2sqReiVk-}1mGZ;Su3YRXri(mJI z z2xauLR)|a(gYG=oB1qk)sMqY#G}Wlsvi>6Sh-{#@gRQq;HC`Z0o6f2}gNC~-59!gY z=e$X6VJbry`##+CB2XHk*tNv9$%PHn!e3kv^xT*;xQ%uNy?lC609g>owa55uXRNi9W z2ng1R=H%E!B0i5D%a`(H#g~(X`%=w_`nd!+48mI%P9<^mKkEhmcfuF%RQU{Yg(yXSuNGSFGULLCR$<7WRf(gR zzwjbm@TWeCO|pc{sn1+Gw5Ac#AP9|F$S61KIxLW0%%QgMwrz5Bb zT zri-}6b%0YB>u&+Iba*{8e=G7X=uUTiKDuU?P_@&B9cd%?i$4CH$R+TNsZhS8w&{XueXM0OBR~OhH~b=qI%6c_%$%holChBg z35&Ht(Cb@HoT-fPu^~&T!*9PQI@uflhc+$};H=X=>&z3+LSp2~39YT7mML(Ea!;Nf zG@yD}290Z&v=)>#(FWNbKn>0u`nGFJmEN6aQ|Oj+N92j`q!C3 zg8PvdMp}YI-n>=J5yDsYd(IhZqrU`>e)}_B<@e#R9GUq<^!^r0ANg4F-Oi+tNSYL01GP%A^q!Hw zZzAkRnJUyTroV3GFt|y~c@OjL_lPeNSuygyGPbes7IlG(4+2wc+$N4yk zv|10U!&+_XEiLEJC*%?~EwO&`cOV!x@d<058njpS$uz8&JRcak1d20ZH0?kI?)Pq! z>9pfKLFo#Yn~-O}R|*wrZr+wg4~k#D_M3B3%F>rB<4jiH`R+3mq948=rpO{PVigpy znsNiAx`#akMcW$I6xSwHxx+j?{*)5Y?7u~_y_|Dp2R<8v3vbOcdyUU$<{V+5HroYq zw3Je6b9=8veD`OR;3%%v5;gj=?K`o_Ods&q@4-(-Hqd^CouzU4 zfV=OiaS6{~n+>hTs1#6nFs_Nn${{2r4IUn@;=xMN?r8m7$v$p3MjSJ0J>8P$mo1a9 zLW{}@&8-`uM5RuCdeQP^u{~tWL7!Zyky^^$1g~^iI^DCnsAYn~d9nb_Z zzs!0DW;x5`-v->OI{d#`G23oSNd$A-mds~C3|S|jPL8Fw z#rX?1DPM@%TCCiPcPur(HKlMrRcZOISmI&wXF?l^fQC2r*>4goeD3Pw4O!XzaN(Nc zU#4}0FFIxbKF4?bW7+*n)~&2n$y_=L#?WfTffnEyLhRGFW{#K_y4o_%m3y&YcS=8z@lRZw-o}v6 zQ!!pCb45hT^!~pVrRzPj>?hG~7TRS|w2`;r_%%l{?TyDpf1$@D@(V@ZVMlO0+|cs; z)CRybSK3G()v;w!ysR>E3XB8YV&~l;!E80tKwR`$$k23f(b=;8mi6Pc7@ffKpkg>H z?`LWz2k;0`3bbu{C;|+^F~HS!rj3lb_gL}!8GodLZ!CyH%QnDZxUj~e14gVpf~Jj3 zSKHtk4E>l!7b<5d(IW12QpmTzX5!|a{kbGh^ZoI5O9{?k0U>m7=_I~mvHF~t2=c$z zo0KVct51XIwDdcaN}3VrsXDyxMVnDO&xos3V~jj8cq+ccsm!-_3L-C4$pRO+K{6hp z{#r{HNkcP#kofS6ORNc@L=~YcG0(qh(E`&@i|j49L2DjwEnrq4xoD(c7k%x-q#Xa7 z$HG-vUs%)B#nPIOiJ1QqD9tc_R>Jm>wXmp{xFCCf?MNvS+wd~@Ofw8_kkqZfldhb) zy?mWcH?_m=joUg!kAV4glEk`7ku^ZE8f2JB7!e!>fdw#8V6qQ_J2Z+Hluq(~0!2Lo za&2xRU|4vR$LO=0=t6Pu{bLL)Lk2q6vY@cdQlhn#v)__DHnpi??Nu~RidXvAa=C(a zt>&3cxd!ogUB8-3|2VT`LIl~3C;MqAdxL}WUECF@Sh%TFNnk()oX+c9aRcIn$MvU| z_fH#vX3;jRJN9;4LeEY*aaO0y5>K7Zkdnt1Ze{=)fGG+GcT*8YG7IGsz`1ud_Wt5f z%(}dYfS;%q22H9t_1mQ{te==TZ^(*YY1X`7`hy;0j8{yAwb@r6zA9U{Fm%~Th^gda z@BTR>)!d0fpoVj5G0)#RI|o-Iwg9HMjVLnN@eh0Yv~_<8SvarvSux1o-QC+7g`4&& zak?DmZ=Nux5TaQ~uFvA<0xIEqNhpRLJBotBNS3X#lPxQz0Anzn)7>i~-G8uMOAZBS zmsK9St?XtKCTbW`g?-MU%D`Y3JN2c+Rm`gib3qopmr}w@xyo;vi+Y~L2~9b}tsX~} z22le|A;v6(fhY1Q1ds(WZi{&`Cl1qXNAE&(S1KMZcS91M>{uHVXTa9q}6KMegV zP575d1pLe}jpYO*btJ@I9~j89%t9UP-M^(`#t|VY$wyPNznaqek&(ZDk!xpkFBhFt zy)8m`Eh~Oil$hW&thFpJn(?g5QY4Nc7%|-0>9ooAwqKoAJqelqI=;pz**(hl4hQH0 z89b*d@N2!jhpK$$xmmmB)Tyx z4APHdBVCA`kNn5!laH0fT{8Tiag2|53!xDUZTU-m)O+>t9x{xt4c z+@Dc4jLe4w%0&GA%QaR2WAP7ohVtP5pVrgE&UZks7S#blFb1GS>Lc!>5`DUxYQEpB z_Pv!ODVH9m`KM>gb}LER@S{!0rt!Y6XoVRJEFBePe5&IY^+W=PqHs8u$~yqgug>Jc z5V#pJBAC%FfwO0?ucq8-&*tH6m)wv4ZZROImi>j0K1QB>e#%N8saK=vU>nVhI!5HS zIsIVjs3^<}tfP%c3rQf4aY=VWh!h7QSKtSa6p1j=#kx`Ajko<5gXVGC6x4VxJx^cv z=rGykuwM(~o3J)tH|j-_3hmex3^M;346o)N(bi2K)XS=R1dhxp4U{@*316~iYFO?x zp^*y6JKW56b<9w=*n4X}TjLdK{Bs2b& zGEPZXSn0s1oLdf5R8ZAdxh}~$`2E&qTdzH0KMt<2rpjK0+K4r*4CzSADG;a+!l4R0 zj|q_v$@o6rw(U>pFN!Uv8Zi|p2BZNWFvrvEq)z&WFwij@w3GlCt^2Bg8zH8aS=UUW z<;k#!YUwOYhu?7zUn)0M5KLOFvqIHwiD-3m7dy#d^({>e!zD(f)!EH7kn=s!vC*KV zZrA>EC6l}dzG)EkW{767^hPH37yA7kAn2C|WRLUvQz5j~W;P6@+W|If^CC25q6CJb zo&Cq$boi*C-z}MKin|5fZi*?vM*8&f@F6A|czn+Ba@kPkL9=K&2Z63nYutSNEXWG7 zV2d3_#Ch1P5Arc)ZZsfPk;Ci4=HW^m4?2UvDxUtI=zZl8{suXjzaK^xCeH3E&T<|n zeV=nyycVdE(e?g$U$aj=MJ=P@TeOXtl8;0oi&^MDogThIb~h~^&Jq^L$7ec=xL+S~ zP8a{lz$k$$&${IV|5a^_oJ(`G%FFM|f_By`OKy<_-C^`hj_Tsfl#z!sA!i=gQl;8C zH}l+xTD{EC?x;hc7vuGHn#%E&=nDDW?fH`<;X!3Gu(-;I2^=CHNxQK3lcEvkyrLhw zm(5veiDHbM?tq2ZZaW))88@<^ipEx&r6?*^;kV>zO}ZRjP=P9m2jLS4*e7>Yoib8* zj^OSLJD4TiP?GVLte8#{IP~B3g6;tEA^s*fP_opaj*&j9xqa-sQ7T7PEH!|Dtp?-D zeY51eB`pEC{3xNQ{u+zE*je@|@90V;V4 zjlh0th{{WBHN$OYJRegq@{F0mRe0Lh?_j<4)yVGPY-f8uhKSlxaVp-l%9SBgS(_n% zVZ0UeR(Qk&r3!97h5&_63<4RnX#qww8RYLKf{nH2W|-a2mj#L-Od}v4%St#g&)@zL zy-t|Y(HCo-obUV1ryUnc;QC*+cj3+(LpDi`@2C34Q{(TocfBLNwqX?xA`YigOK3yd z!e6P&7^T6J#XD8%V|e@0YWkC5(Dt1ct)}AS#TuSB*hWX=&is7*oeWy4X-*E;W04+#4WV(b={BnXqV8#WdnZ5dI3sW`!-C;k7NO9{F-ET z2pyd5ruQ-nAdonyV#Wg+Z1%%&7!kPd=B_gdgcSY3aI|W0Q?9?Avq76ya>V>w3_m~Hk)KE zUGE<2Uq;GjG^Z;&MjF3n)nCY< zD(vdbIRx9pNC=kqZ*ny@){mW33_iS5X&AgP>X$1GI zIc-cK?te@t7DIM(yoim+IZCg{!;|!g+SC?Iwmk<`E$s5emO&Ot{Dz#JRcX;#uF<=6 z?ZI|-?Lt}NBl`Klw4Z*2@tJ68(K#KYGGU5;*@3u;u4;+c-Ke#7Q1+XPZP#8YeX^Sr z!sPexd3Z>?@C}SLSJC)Zm(9%3?w~T!LULT~H{R0AbKWorsz@RB?z%{9|EW<`>781& zax)A&77=ZFA$wD!3OfLlhs{=0k)^C2>inCoujkK?DzAU33Y+B#m@Uwkw(Vgh&{*wd#IB)iEQ#H}yH~JWgb%TZrKOZ^j>5oSo-LrqiV%NJWx1K;f8zO0SHpCkZ3&2rf1g(k zrM|TYUnh!jIWmAZDPr zP*QxrfF{7lEhSQ*y_lslM-439Ul!{TKdN^jpY-26d-^c<@GMebG1IE|6~R;lJMq=E zWSmI_t8bY>6VdK;m*4^tIQ~%Znge*N#BV$AEWX7~a4!L@$;$ zwi}JCC6|GNY4(X8D+i?qTDhf94m}*y?Ki_|gi4*=-$RlRd}f!TcPR{^)H^crHPQgH zYNqNa$Cq9X^Ih`l5Y=xzy&k$#Yf6Mt|2be(YjD!z7efy_4L5=W?D*Rvy1rh|jXC#d z7cA3ft)nTs|406^rRb{bm3l^5Hq>@y_*-5hy#MfnUR|o{3^k<0eTlsQ%-`h9J*CrJ zJbuQyq7neE*Tp$nM^w9poNmse3{npAV*Q3Q_x+tAJSv;vlAlx#TU|UEyMbDkT-LNs z#XeNMyf%sleeF;l6kNOVu52x|YxZa~%Ce4n1xDt;4kHsVF|nWDZgsRkJGDChDLL68 zHhJ41Wk&)5qJR3C;JC5XEi4B-A?cztZFl%N>{?iK@7|Mm}}I1?h<2Q=* zo3YiB;hmy_igI~~;B*D|ZaRjSdwXA0QlL8h`y^B^fkMc`su z|1Bz-`X&TAftyr^fwVv^;Pcr0TS~^wa7TZ(nd>TDSv#eN!9hYRQ+manGg2GG>MP3S zEIDhbKY{8V6t-h5k_$BD4;P9rV&_Z(F0*j-t00!k17C;G>$tJdN4hc;`;>L z?HgERQ-|oLzE?rh5aA8|nX5s?)GakKi_Mlq5NNQjn4w0EYla&+c}WW%1|u4{rKPUc zq9zUY)O3uf9_UV^KrLErS*0k^Uy5`X)h5kV0dfOcw4MFl)Z}%;1)>R*uNH=qmZ4KE zCPiX=b;~$?Giyp8tjOyn)fRv@X`Wd7!7|6T&FgO1P3LW~4XH;)+jf#KgDn!Xi47n` zZh>eQ$(2&^%o^_=VN0*JzqJ4Mcpvc$)ksc+L<}9>cs1X}iq-RM9S7N?i+){nj%G=8 zv%QWmYR(!?mt!$SBM++lC=-T8LIDOiZ1fTEnW0I8N)d!Q-db zi~*Zl{lq#3Dr8e4n_=j!fwM+QgX9lQ8c#(Daw$cap`N-iy!)BWB11T%mDpVp0dqCj z9%^#!H4IUjZV=w9)JzUrAdwh>*h|Ys2|9UKMOV6pbdLO_4s|b$Ve<-SC~(gdDNVVp zVdnNpC-$N}j?`PE((U=@7c6wgi#u!umc(&2DtG!#%dEE=GUCy6u3H4dAEPgGI)9cB zV%H(*K!jb;7nISza3K5A?Dk7~`6nGlN*AWd+s7}o)HO&3RiP-fhyBrYsSDnh4pUga z^+$|jKj|y2n zne~q&lL~a}+qLJ+AEfvAig?=|A=%BwuOf-4Vmz|-egpKrMakvnHUm=Q_|gBd;-VIT z(8hxQ6XTSKX#TGlSDO9*72{aM4M&>J+_pZhi%^1Tz)8Tiw#GLoZUce?guoTU3lJiM zdG4-uC;5!C)RU>$v<$;lX6@0dHy5gXw>(kwkvE$0uo@lAh$$DGe4O@YN((P$&!7Yhf`Xk1V!PXd=HH>-1w2jd9+nNb zoDKSGcN^~qsAL;6{6c4&X-Tn21pg!Z36a74@P-;f7!NfE>1Lz&{32Vn)B%&p7Bk>3 z^S<7A`1I8U!!-B@j1a?B zzDlZ1YJN2oE_O@3ObY0&Loq#WcD4v=s&XuC4iYs;#auq%h9rQODNO43Jbr3GNlMFv zca&*_^{Wyuq`DJit*8qX3Q@nkOW%s#u^JnE5a%OV7|WNiU4-%W9Ka5Uxx(=e#~L{q z0wRM65omQIF_U}?;b^y`?@*khpR64tgg^g3kTx=@5yVxQP`6#UpJtBMR`e1>A~xgT z2er^;O=BtzxN2jI>=|jsrr4iOtEgqg76ptcC+Y6w^HX8Qg#C`@5L7$HR%7>;NE_ET zk!7*TDot!__pVQ%(ZNP(BrD9Vcc2_;nHIzoRPBW122TGTRi+@`E@5B&$#n^He+Yd(^q_LCN zDgd2mhC>)VgZ|0>7}NnWyEGdMbPC#F)L+f!Fop@)fADNnudU-nkQa>>WI(NM5I{l7 zw7%n{9i%v+Ck1kDHXLgJHN%Y+CFtdDdeila@G1qNbA`g*^}Ef^-`q_}7r5HCRcJ*5 zlUAnfT~Iv1u*$^%%@@^5BbteVKmk>nYHPa9vrU99k9;wnk`FXR!~ha7BNqY>3lgd! z=>UyYFs}BdC1yHf$$oZR$Qpw|m!bBU_CE_yhV9vD#HKQrXPB77YnEyTN5}@fXFe}; zjHhGRx30}NFZBhofrckmo9L-EAEAF-o|(P-%8Pn!A;$@0U|&@|Ev6L=sS+3h*H@WV<`q)({xR9>wUECOfxfOXg5X?vp`rm zi8tVaDByB_#Qc6#Cnk@A;_;EqxCC>xs*3B73a$$|O&fH3z@(jaYKTsEPZMdowT|R+(=F@H zyWjz-KlbI%Zz#!Pr7>kb(uHe{#anS$hmk-hqHx#EyTu;wch}EzFcN|8%_0REBzybP zc);OAs>4U|MgOp42>O4p zBMwmek=pA&*pUv5CrK5U0Te>hY?V7UV8N-$IdJIvjEn?tpB9#ax(*j-FrKE^dhv;d z!nEZhSvDz6`uZ3Rhid)Ylx6NH!!lM{nN;IZ8yl+v4qjSJC|=3pU>EHV#g(_u$Nr1N z6=t=iHFTO-yO}xRpYYQx^&eTk$^R*EyHypc*RBPhlc?I*1q#mK_N3s?K-(Qx z5QeeTx~rh3eOLCLoRy0=CSne=eo(ATL*EU7x?*tri>L|O7vede?j7$i-ZX0`^r&3g z(A+X39cce1w-{xn@48sZ9SA6>8q&rvDq!F&8n8?F0OD?7fN_lpOKFQXBQ$a|)aPiY zZ)AcGckZ_W!kjvpvK@;K1Z>milJyWh(T^%Y2(KRJ##~k#4}6jkoIuFC5#RWKI{ z{V7ejzZdpF-j4Rjgolpxq-BJzk2{lBZ4{&@CvPX#Cc55guF|I4?+<;$CccqfRE4_3 zw!U0~V&WYY%P<*_B=b|hZ_N*jfVYbyQ(d6X1FCDpBg zD2M~z%)FzN_xEu1#rxYrIz2Ah`=pNWgH&?~JNxDC)7&pVRXNRu30zyhpmBv$ zdLXPei0fNV{PV@H*ZEcm1U1!@giEf;A`-bNXMaE5d|Tn_;ws0N3*-iq4du#Oyq1rdQfr5&yq)sI(S=Q35WZaK7Q=DE|K6ihoqmgu>f082nx~+HNg=MWw*CK-NP@)+uAB z%U(y5w%St0*-65#$S3f?hcM5PpebU`_3Y?F`0*u6?s~hyOJmmlHl_aE8i*)=s-*3t zw8uEF&6)&WrP9YsT(}>`u5Z2a?6cK+hTzo^iBBBeff`r5-GR6quxYX-Ph1bIlYfqY=vJL&my5HLs%QxI?&~L;qh+?5v0zs-3BtYzeqjClq6P zG}|t$`OcE&uIX2u9E^usXscX!yQ+P@aDtNz)HSdwKMAW9Lsn(#G?>zr-wn0EdR3M+ z=bDXA9Gr3VrIf}>{BC_w(da|#aiinWa^9*`91_T+Y$`Y*GS|QDZT~(5cQFx&pS5sLAW0_%_QSOR}R29p?@116=Jss){I2OD0p+M%g@uNn+Ih<(MxXi z?+J2c)oqFNPa0NBlb}j{^pVVUHL==FDJG0Bkn4U>gFc#;(|dMyCVifivx<-dReM4- z1z0!B@(U~6=MC;dzsX^veL6V$4{g&9shBNLn(p(+X2B1D!L4frS=!}a$DWueHtX_y z{WF6OC9?%a3ivL`Lq2Ns6Q&$*uT2?TxUT4?oxC|-lO%P0OQ*=0GgGTbVGnwcpOD24m4%a@BHqY#Qb=Y8BRt(~u&k(=mMo>zGTGyUDXgBr-1>+Y!M(dR1Qk@q7^=8# z&}ojvb>a5naQoMGt|~^!Qaz}&cToJKO`ur1BAou zC|o{ph8NWI*WqnI7wBlK5bh_jwFDE#plK~L9Akljval`Rs7ZV2+-r%*Qu7C9-_wvu zCY`8iQG)MnM@h=Yf{%531v&bIr-v+wG{Y@bsncYc#H#3uPmGA1<3=jUKIS?p&}Mi# zBhC9_BP^^R$9AcUVd;L7#p~vqCPFpT_WPoO#+g>1F zYUD8l1C&i`#Jsc+8JQe|Q&mBXgPz3gqv1=*NA4tZDjh{9g9%b+C~U9^o!_YrP?aq) zy&a2#<^#TVIPCm4lNKo-ICnnR=`~;a^}AcD7q8NbC2_DDbNVzfx?kropwVGht%E2L-y~n*yy7 zlF&S}zH(Sz$GgG_!Pkaq`&OX>$r*~7J?N%csEbXsH+G6S2IL|*I;16r69U$Jtn`*E zKh7_r*>}>T;yVf)H5Jxc{U1Ww(RJ(dYHS-Ja|8z7C;TC~X1c?4EYtDPLWll~T7q7M z1-@T`f1)>4u^g>u_UUtW6=|rQOH>Apz`k!M;*1#~Z!F?$$~W7@>|$Gn67&cA9BxCk zsXB)e(d(cLsnTrSU=G=Eg#V4BRTKXQM>i6^(B_7TrB&%@M-GhF=|E0P&Rq6SS7OepTc&?sV_)_JmHMZu*TWL(kkIW;#Wi zWO?$!?1{8UjQNK&kPK&pVl;I{|DGaRRQ@AA0bhY{>MpS}=8o78HY60TsNI3slZP)E zI_F>4zO+d}g$%8WQaNhr#GoI&mfrwL!K&qQYR0Z`1?oN$`fdv~hdvwIKpbihmD-U+rVV9DC_3P5o zt}GEV%Qey}b?X($q3pskZX#^DMb*;O1I-TA)>BhJm_gQl@{f760wbt-sB$mb@aPsg(+LHfZ3of1Ns;Q4ujz{C%siukS2K#1g8U6q1CmNZG0; z0EM{2TwSC*SxgsC&27>}!QkG7+~&qb`yNZr){#1tv~Kx7$UKIklx{~g{rj$)AlG*> z#gOrnZ!Or-v<~%0KQ%^v57LM&T#o+TZG?>S8{Gm z(qwV>ynmxcGH0a}SKQa=z2?%4al3?>`{=!TFeK0Bx#0!mn{{0KG$*9u!71~=t`5g! zkBBsZ%xLwk+$u=}QIr~f#OvGI$=@dy=J{EZS|%|8sP^pd);uiFNnA;anz$y1T(L*K zzdq}E#b&+=WrjA3SSq&6Pc(*D6mB4AFG{Qz0oolDB-XnD3&T61<7pKp0RFdvQ7jGN z>bdY{*a?S4t%l**=C=b2LQiN+*|nG`m8uWQB|wscc@Km0UL6bEUjw1KiohmCg7IB+ z78VRybSGd_(3hC;j#?r47E010MLG$mI9B~8wd&AO7L@)Gv{|e&tdMHof6P6#6B$AK zznObDYt5*Ur&3m@%rYM|ik-yDsQDU?NJLuntWR;c0?^B3l5omYqumS-qKb=jnxwl+ zxZ?O(B5`25co*8!?!2uS!jLJ>GAcJ# zImA(m7#W`^Z)tO|Y78!yI=Oet`C7=v8XHQB_p?B8)tlNP-17UBwjP!rn{p6`4Ux{0 zSAX0J=^xx5RXx+o`ror5Os*wCabZ5|u^Pk*{i%%_x%x`th&=g=V9}-|dJEi`MPxRq zqq{i?Wx>#^EerFP1JT=8<1ymWO%n2W98^dC*J}p!V>2K|vQj=|mFWn_k9chf#Xp36 zZkRvd^7%;Z`D`oN0`bzn5$Jt!KV*QOFXHWYzqW#$mIwan~I?)4GDC0i*M>2VlB(XKivV04BI^> zx}196W86>DPp2`?*uPP{v^nCCJm_5b`Mw9+^feX)tE8!tQpJBjxEtx<_x1Ji@f7s& ze%@~`gyvFr2}>5b#=0Ot(}?`bj1UqLE;&5!EWXuew?-QCx^l=~48NtyEOp@n%w17Y zopP-cBmsfu8_ZaV;;oEs#;r#RhK%i8P`&+KLg^;gQ@metfH_h}Ez z%PCH^Ax55U=}FZD4IL_Y^}IDV(B!%U6bN1qN9UUt;NY=IMNAB*6+cxksN(DH`0Z>f zvvB%nQbEx548IQZ@V!{T{Sr7yJyca=Jd`PjR1k zC2;imcv8I6A{7N+|EjCfe0+rNd89*-!D5IdR@GN1OY1i;D#DdS9LxJODg*x#+Z3#2 zUkZ~6^HbO4cde???1HwlSG+Ypz0RRn6E~DmdVc3}IY8*@GhOXPjWPu!p&R7v z4)X-ZR}7RvCiMY$^5vcVTAlH*e&RJTthW<0J0J+8>K)!y3Qig?G(-f;A z&)I+W|L(Z)akIMf$%@yF|JiGiqRwpXeON6`{WZYv`IolU=(^NL-U*$xM`MV}R)&UO zUsQZv!}I3&u2r{WWQTE?P5M?wac)CsRO=XpX(ts8Hb%<;#`sQ*f^p`J=b3!HTqzTY z-{hs^oY3xhqi-e{=I!pD!H4&G17EiD5*xR(_W>I-aqm?TGFl31zmE!6cgdI|HRm}> zI-a62)<`^4HsvG=h&0in)DEkeqj8YH&i~v>=vnrOx$tyzvFH1lcD@q=g3~_T(V+CK zeRE0$bES?I>k8D~;C%9N@jib#8poGG+Wbn8ln${U<1uh`lu-Ly^tff7C8 zt5dpSo;LJ{MF~O8@+s!njbXr=?tJXhd1pQsZhgTuo>OHf%Lk+( zsJY}{T)@GSW_ghfXE!x7v(7&w<-2gkX3D$` zO$T#KOi1Vjv-L3rRjwy1d|QmFpA{2-pqgNmdJuDlmZ9T#L#&p`v#Txy06Nu?d^sT% z4N)fku>576oP)Ohv&-1p>Zi!!o2 zZ>SmGAwO?y&CpGvy|ujLLWyyjsl|~b<2Z9Lm22#RQrQf6#S7G-iWl>)IJv`3aKD`aNi@!OP?jHK{Uni9z z`jK4y5KDVlp?f4_D+5MCeUm`f*MVgmcQkA&u33(-=uV3)ojwOW;~#DkSES#3*UG^& zlp9A6VmAUoYp5l1uj@#9mi%Q0Hqo{mhj28$4d%BwwJ}EE6W=9r|3>m+gWa>`?)qg2 z(#Y)to;@LCHz`&IzO72_%}}By+%8tUzMT(6Q$G7YUq7Jy>$5YxpTt<(4reWdu~DLC z3p#st!J&=#8l?a_OfY*B5)s|Om&k}0`pF%)H0Jrj*Vz#s`Qt+nL7`2zF~WhGNPQH+ zFZp!pkHBUGAGc3cu$}R%?6grg`;N+JK?iQnoH=#MFln&+raxUxh1uS-R@SYL!*hIn zn`FIKan@2vYuc0cllQdsJ&A~rdwRh7?$W#96K}2Nh5mJav}d;V=Ned(tgW}L9*gU0wJa zK%hFppt)}=kjt_f{l2g3WvL4R245HGVjZ!->!e5_8KDft@IZ{3qR4Q?ymZW;@ks=g zS2PZ15ZCL&$8mGS%WaQ6DT31*OZ?DkvmrxMr%5j7m`>$Zz3ZvU!F9fH}$baxY zTt4btG224NJJHv+yJL<>=|>0J2{myt)cNEHlP$V^Y?_}FQSF|RAS)g1^{n8J?mAzu z7YC@4>CoA>fo-`3KZSHxrz4LpEh$vD$%QEzEA$?tIJDEl1V2lTxyn6gUr^`EP~PWg7#>X|7wTqc{A#T?e*|! zN31RQoh69ryi|VUV6GO*oanV3ZdqL{)<~I_Vz=@nH#e}dntua&Iy>Hn9Qo&o`1;*H zFBzbt=Zkti4j%fqsCXPU;Pf#a3pa#`|4kZlKM+&4i%JV(Oce;lxhk87w{eRUFzkLN zMB%^wSBz1-Xm;VXQ+&Zst~&6cd{>X#HNCvbf&0E$_Y=c5UG#M7 zfH$Lh-nu0~bVsvv-)}*qY%|{qnq{0ApvG4ZVcnk>#5QL0yfW&=-$Mb(|{6hL>~E;UD;gon}bndbj`fn_DM(-FNUzkhWxd z(&R9r-i3$`!SLLY!K=EPF*!ed1;hMBrB6kD0w$o~Z?27BTrjT^i!yF5uk`V0z4Az6 zzTX(*R{|KzD+o1zvd%5>P!{{*_paY9J^$-W_%ariO%PhWlmk=Npig>oF?OGu+~D2c ztoSXe=M;ql!8HVYz?|herj&(P(O216)fsgEOQhViN%sJF>q89YUjXCMXg99BUvabj z#PMgASLCHL6&#;XPTU#?&h?}-Hn9r0f&Jc0Fdlxp=QtLabc7+7k}oZh2{FrZ98*Q_ z2g{>GPsK`S=4umX0qjw6W-beY_$RxbFQelVhA0d=u%yUaHr7hP=RV5D79u~(^A1XnDo!>KcWQQ`X`;6!+lMz_^!eH9H|PQHgOSN$rLCvjFsK; z7GahzKJF;u7hA@c5_@D1G0QGIAOK>&xc0TwD!Z$D@dF+D{xvh;_fgnLw(wJrn{G5E zl4JH>;77D|!kOnR<6RAtf^i0Px68MkAFiExpKm>k&2iUr>PWkf137h>ZPO7bHy5V`d6&}Y?6YQ zW4>C$^o%xZh3+MIC@)+vsSCM~B<{2q8R|xLr{GUyD$i+ zk{d|1N7Qtcq{9*K69({{szYijotGH*12t^W)GAOt`tG($%OjBn>x|M6jG`je6w;Y; zHiF*T9SH`5MLeG&a?qlDn|4q{_b?%3V`l3j{68NG9)VK8pIMAdZUwGX*Yz|d$HRc=;M#Mo6_sJ--$I*ZPs=( z+CF376@qX40_!WRDBZ-B7~@Y_~<8Y~Z!aac;X zRYz#Ilnh{AG?BK#nw~xmlZHa>2I#~~z1@Ug6Fhc*bUx@Iy);;={TVbaYB;UmI7Jls zE1#wSp0DtaH1-QC?_JSKoxQox)zdw!SX&j^gk9jxQ@K(F)l&+GO+J*MKl10{(zSbW z+ngWG0&|ZWSKhC0+huR*V`#yOZDH-N5>W^3!};@Ar<^ld93x#5pMxz*A|!%xuv7Ym zBLm4ce<~aLYaPE!?SM$@{Iy&o!;$5)}RHi60d)VV! z%?YnUAJ(K3h&q6jFR z;bqZ|@PUk`!He;OPdy5ia^fT-W~iL_8jklg!9xYHn5UpDu~`mV!LKHODa~&I zS_C|oGG_Jg@PJ5n?!6jvBQ&_{4Elh3J^R;?S-7LPI}digngnx4Fv28$a2Bg?MzU~t zbmBI!e>usF;RYoER0!%1eK zI^wl|_Ig8kZ}~&hp_NaOOz%k_4pk%2`Tz9~X#?`17fLq*^MR-<;U-Sb|q=GXQ z&iZ*?>hO^2lGB$#ER5YMz$ojR!Dfc40El)^0Y&x6&cjM*LQ!FAXB5VyG z<_}Zq5uuXmxU}ExeAFw5{doiE9EO`AtS&-3R2PcQ;7{uCP=@5%eW)6^Xl+P3>MFJm z*}00Dtf<4)H(`d;@Vg7qcj=VSUsUGjM*YnZRhdJV97u12UIGjY!TSmE7}X z&<}Snvr*FRz7Miear_w|eA-$do0F?3-CR>Ry_B=wXvQ7r&l2{uuiZ~t%uT5Lji0an zP*V~Flb0bZqm)mZ-r|t6i|pbWS86}psUNyUp|D3_&+A9|Q=-6XvDg;-$tSpxlgn)` zLo+MV&z7x=;^n$P`(od5P~HVg^U7ZBX=S3o5)uLmojW5}P+1#?)P%ehIHX=I=8JzcSympxO3jJd7H5$KbQCLPa)YKxydZZixH)_-kSqblD@_?I4Jz7gbcd@fg;#+`9hl>fg%1!mFh^@sk#Z>=x z$mOYF`xUgJR>b`H?I0Z<=I3jjZGVn-@4$_rd}0C6A?@&0*-X`*H%oQcRVuN4>|JR@ zsm7`UO%RhyFAva>c;_PGB!U^lfWqudnTCd}Q#Hi=Cn)W5VlI>gZ^5o!Fgp8?PU3%QgbC}m=eujjZ^GpFy^L#>1-`xu=CSD1un!iyx1Rk>SHVB zLL0@99~-iI2N_RyH0*ag-7h8-I_HEtAuOG;qMF4+#&bOC7IR}@gc~B^-OjR@NtNle zNC0(g<~>6_&-j6oB`)k(2ADI!6Re(4*6J)*)O98g)9U$2Ktw{HdZ) I${0}p1t(C-`~Uy| diff --git a/golang-external-secrets/charts/external-secrets-0.9.13.tgz b/golang-external-secrets/charts/external-secrets-0.9.13.tgz new file mode 100644 index 0000000000000000000000000000000000000000..464befd970d337e51451d4871cd1a9aef6458da2 GIT binary patch literal 96126 zcmV)JK)b&miwFP!000001ML0#cH2glFpBrzehM7sn`P(xMACAcq>tC>GozLqx7s%? zNw&XUvu4Fb5|R*s00#giE15jjd4cm}zrA-|Pyhi`6$w&uQnkKsIu;9c*;Tdgm+(sw zW(kXjc{t6&A|L;y|MnExkKccf|GWR=_fPfzmF+M4&%giihaZ33hyVANr~A+Me|+|r z;QKACWu-0if@MMQmw7b33gfV~pXv9nw1xHaKfGdDF}h>(xVJg*fPZ-Yy!HHle7cY4 z|HJeB?|%64`7=2GANHSq_m|*lZ!73%fAaHZi|AvR3qC$+tS2&1U(FN5kM+Eq%DMpkW~Y3wtRDJ^p|G7VMAq|F6;0;nT;DaIOOWKm3a0 zh4AnAMQ|O)ag@xb>?XbYk4yX;F8xsuBn;uhf4F|c|Ftr4akqd!!>Pp4l;H_Hx{;HM z)7kL+S0Gk|^F_=63jI+6cl`gu{*O;R{@+FGIRAI=&tIO6iZ8{cbC~e|_s^c!@c)lM z06hNRMXR5GaK-Xq5{5}I3m0*E7tVrwIh}@iezA<>yZ__SqvIq1lo@70kwVAIC<&H% zlw2yxaK;DP3+~coa2v&Okc2P_^ad;(EEfR_c$c#x&B8}OG!A1pgfP?o8f1X1m)SH7 zo*-2Tzc9Fz;a)Jg3!o1mLYR*Qk8jvAE*|T{eLH&e=q(NqCGg>#P-X!Cueb_>S#)s` zW=N?JtL8y^p?{eNESUvY=`F4lh|EQFxrA}x!}+5rOJJ)&;Fiz@HVjJ(UJ*rl5&ZUB zFycJZKY-u`zyJPdQ;fhF|se+TWi z-^TyvqnBS6c=_>>ARmG+1OIzU*ZR@_IfhI9+iyd_2p7QJ1cUmW8R18RU|4p;cPXF6 zI~;NJk;Ti9_k0g5Ocu?;;D3T5TPD-shwtb=qxsqL;v)JI42FY1j1|JN@JZ1!5Ao@T z@bKjfgpz{)Ua~m4hycd`pF|rNJ^B>#v8jK7GvH|BL%bfJJMe^h`KU0Q#)0eqaRasC%=;>F+WPqtj60tX*tbjo4H zzm@B({Lyi7iwwB#i(v3?`S9QJL2WEPsr@}`{?E$o(~cG2j9|y{Na<+BJ>k7#HVI>! z7}kM%rx>yFXA;D*gtqepCu?qbMCK8L1@B+9&@5 z7$Ysh8Z=f%;iBzqIJx5k$(wZ+W;fAPeSZs#fO-W}f+kn*HVj=ioh<6omEy`FLQ@tnM0pc)-7V*T!;J zyN#xN6*U3qNjpSJetz_A+n|ZQWsT#N!wKRayu${NCTQeZi}JHQ>rYk~U_V32H%Fhp=ibD-q{$a?}eq1X-( z;`&OEz+-lkE;AbejYg}2nf^2qV@RT0N^UQt@W%Urn3m=dAk(|xiTG2&E`c>sGBxo} zCD-z8eTEfiRwvtJrdGh-w|2_6ZMP2nZ=Db21_3nnI=Tm#^uPO0YxbXK&%gW5+y8gc z1U5reRtqK;l;TN}7Aw>dyS^oQXm47G~rDUqcnFNwXMKpebn!sqva=!iM1&BU}#DUO2S$GrS zLH#4jk!HL>#dr4ztNr;%Qe5E6pR;0m^+p4-E0|ZM))ELm@EIkp5;JP|Nlw>w7>jha zathd1PNL&9{#t&foe2L!T-kgdw@jPOYI~)89t8FqS=oxbU^cT7!*K#nRhWUxVe7wa z1lv^}xEp&|G0`LK4lIjwj=!8$`kklOVbb+FYHX_-rn(iwu>pXVSybHNUtuHqt}8!m z1i`B`FW!a4ZJJ$oZAj}@ek+VRS$w>-``mXC}IB&mDeX9ep>@wG(G^CSh zJeXlH98R;@Fbn^C87{*iNEL96S^T#yDnMP2MbGNgIG%V2L%bA!bD`@}$<;m_5%a$_ zllX>p;4J+uLyhLN3ZYsZve_*A+lzLvDpfBK*DwKGkQJ+gU4<+zu72f%bsZ4{fj7+a zlPsNtBkT?TfZ;mkuYI#RKZ5Wg&{;vaIJw{v8~k{NE33zgM)3QaJOX(FtIsZN{Z@1# z#~s6m^3@Mla6!hB%P{y~*Wuk>@V{*KiRe%Vxejx`~*)Kp0XMi8@ zteSd>B?`H|?d#PK>X@wYk9dT66p45I5POf|y z?YHVhtF90IeqV((6wi0k&6pbQE)Bwps~5o-``-Op`7KJKB4Y7T7_&RL!D%uBM*7*) zN}olTMMR$YuirZmH@ZGAlbh<2!sMnuN@iMu^r@@eVD;yISJJMDBv5=zx?-7CB~lF70Lf z!3@HC_Wh4u|GSH3 zt^aLTR~)HJ@ppbHgeG`>mGOe)*-~kIvN}n>+T-D3HhBmdWT|O0Ao>QF&!gnvhD9*~ zlrK;JODDRw8m&T$)>t0<@*!ch1y=s%yu^kPD~sH+v7oJ^k@}kN<-K;^0Tuf90N?k_HIn(kbxxy;}~q zfXTCE%mu??02_UkrOSnwU>FSGFF107o6p5g2lQi27>B-7*mgRXeg=XPpgi?%lI&EvdVR1C0C_Qlt zWIP?)<;vSu2S|F6qAb?5j>_EnqHfok>LzTNhd-IkHX<(Nj=(uh(`*(cHs?=llW|=& z5Hzo4I2>+(DgF+BfLr)gAPiXUX?THSO4xVo7J99s#Xk0yFDJhMpCeG0c|146svCnX z_gJ;Tex;1o18olcpEy}}7SJUBKl^@#|NG(DGtd9+qHW6mNehv@92?923XO|b-?N}! znxd?6xRb+I9UiQIKQEpWMj-xUw74lF-_U3!tFKQtldT%^3e1#Ka4Vs1#H*Y2sGv!h6bsQg_9_6cXJgZ7;P3cBz>QkW# zJW^`v3gK=f8&x`l-lQw!rk%bt5jSO@tS~j?rkW-qQ-qRJEtr(fK5RBSPJST)rXiSw zc!0U+O0n(ObvR|ii!7bDF&w}DK3>;VxdsT0d%uL&i-Go&Wfaf&YHqYlulvtOPZeub zef0SVzD38XG;8*?m4fLdS6Ui+3yzCl08G$znPySxL^rI>uIT{}4o?s0hjaA<>b74u z{P+g`&SlzonX!0fOY~cQ1%mB6HaAR;(Zb7^W%WT&?wzJ6i>srXJqlz-D5dk}AiddV z@#2c@i-~eTCUX_36a+9#a&U6|@w>Cy4?$2#zxzK!?U$go=>R~y%o0p4cJM1EFFcff zzQHLs-rNP{wqz@=SP_T}hm^t!GcGQc`4wz?jL`)YHI1YJ79`mV8SaISS-_= z@nyjC!}Y<`7g?BJ1$>G0+9~xJhh$~MC$kXXKw;VWKPRhdWMSuv`okz|cGneAcof4syPs(W6I|q0Yh( zmV#MS8ZsZ#sUS%mPvUgKlM`d-@xj5-@cqHExEjr8+Hi{u){_-c-8WZ5%ay-(UlzJB zaK}W93g2T+026l>lYP?t<2efe5CBOyJU9c9NfVK3kdldDv@$q~Y%mbMt7SY3IJPZd zjA?qAM8B%hb9qk0XTZHlL{4dPj^9JPy)yQk-N8UOZ?H_X5pOtZUg@urfL0Ddk}XVM zvqUG=F=5DPvP5(>p5bK~=h5YmWz(yufZ6E47SWJ4lMr%;Gx|o^ylNA3-5k6$v^wcO z5C(HREJSR08<`l8Z?-%W{1bxl^yS%knK6~ljUQ3jwE;r%v=FiYC`{;zUm{_mQKgxb z=d+6=q__EUGLH(p7XJ-UFYq8&2RK#x2V#AC z_0ZDl2OQXypY)JP+vBbx^D`Jhy-|^tR!~-+;DY1N2850+99@p&S7<-P?ek=qaHVdq zfR_!jk|ZGBUpp{sxG{sx=K+jT5xMRTVb{NGl; zK?vl6YKor%^;;c=M8l}>D$wj!j7^fZ;}yKny6EGJU=D;fTEq>jL`0Fp{ZC}t(lA)0 zGoFSSNhQ~_)8Er1Me;C4b|Ad2L{@ z1qDq*ZJVyi&p9Bv-pj{Lly8fn2#G}ahV4I(JE8RoNHKep?z6;rfs!EmUu;Z8AX zPizm?pCOH{Of5sR5@5qM1B|r{q%1yvSE&+{d|CYyIXL6dGpcu*O()gS`L)l0*WaFrU zUxGEU&7n4g$2cD21RmpfjI%*Ed3)OrYgqD&>vGMQa3xNen^5zq_L0st%ip#w)>KW$ zJ#x%v^?^yq=7k>`@@saEMLJKRrjlyUTYy9b`NO*)kkp~t2LsKPGayPULHDc8^|c>} zffaDLg6}g-_!*uni{?b+niG;XX%gz~xH+3C-82^5hH*T+PEZ$HT5)Jb(nuVio*e}6 zk5`8$s~6HZH69HoND6$at_EA6=C~AnV`%_rZ&4A>EvU9Lj$v8Gx;JA(rVJ!Xe+wIs zD(lTzlPK2<`_M?!rew(yqGlq3ja!d4BUgqloj-@kO_ZexCM-P1ehuFXz`h7hmXkP| z9>(diNuy+QEnZeKFXIV$&)| zC!HE?Q>^3Q;7HBid@=ClUZioH-r^+XTCvEGieB9dSe#>hv@ifpxl8MMnGP|h9K4Z2 z)4r-dG3um2Cm&s=-@MuX{#oPVv?JRKKAgQmoh^MP{&aX1B~1MHt1z3hr0saaWI1oX z%0t7&z#c18xAZI5)6$`Pk)2Ods>7S_xcTx@g}D@uqk^f?UMPod{Eq12MVe0FM({Fs zBRa)tR!w7NwFz#IUULUWJozkO7SmjuO~ZnOWH4?p+{(sH(WvQ`wFVb(4lsI`Rd^5onuVNz;5uegmd(mn zSvT#f6XVC!!a9_*yqMn&wSOVV_7G(5pS3I`7q(^s{wyqD-J0DQe;L95xkeveKp^rK zjuEXQ%D5U6M8~d|tOygX2YM6Plg$>D3_$;sF$allltG5lZHH8sPJE6KHt^k{w?lI z2#A`ikZ>E4vy~s6hG@6@SaDd77LMh2u_*VP!LC>)_k}61^H`hTprVlfJkUz%iS;;x=9*6edVP$K5EU1l4?*&>K@{VZFPjYTn(` zyLvny)gZsmOCY~QumlsfH5-Dj$dCc05Xe%j7y zIRIgmZL!({J~u^Mt1H<2TDCoqm6aUfF3E` z!fO*!abr2o){5X=SK!Nj5{7sC&NgD(@Jpir$&ARXe>voF?8tW!RG9XCcy>! zot^C&HkJCo2s>=wK*|V+Yu^`P}4r+0+zlH>0lS3(*t_w za573#!GHdjm6tYNTIr~X?Dq}2+oBccX5ak1ON2$2uC%!+(%YT2VqDALU>Z~pWhBIU z$31D(>LhwC4^Ez#)eKJI1GoPkbQp5La~Y_Fb=0?4<`{czrnZJ0;L zc63$7F3!M~z+oHGd0BNdxQFTswFtK2zA0wJkF6H2tJ|6s_2W2NuLmh5KSu(P7^?E z6rw>T7XpSm;z%gOs-U1fJ(!PcTr;$4WS6BLpo|~_@)b6_jT^PEb{L6Lc1{g3tZqn1 z%5Y-n5+1PIG3SaGEXo9gG3i5Y77?T~?MpG}EDbsTC#1eoI2b8z6cJm)pYb1F6Y4dg zf!Bn3O{mv|t~9R+^_tL?wsTGBg;7LWk1N4(m0!Vx;a@SSBfQ9fByDn&1l|Q*mdO9n ziY@sGNA*03=SiBs@I1-=@FaHnf(pd(CFczYLMZ3@)&v2<0bH|&PGfbQ{cABCG;|c# zmHcxI5h~sIM4W`YXLA{l`TC+{HaJFNgl^A%Uh{wI2F^Bmq?~%mNC9) zvjmxg;@uaEIFcC&V|Ev2Qt=Wzxrnlyf|TZI%S+%CD*H!3Gx>uy`y#Dd0W zAor`_UV*SB%O~6C5!Whw<`B*`!>%@-)N#qVAIKAv%jx&sIPxZ@Bvo5>0n&X}a%me? zc6h@u+^jt1#VsUjE<(fLG}x>?r+Kx(J>||Ra8ah|d?Kn_a}q5LAh0mv8PT^$PLk3? zHjJ)mk~CYWX-%In$yweAsM1fNzP6~M4lyUzJg<2@$g&|k!!)Yt5Kr;Vb`JIM{HWG( zkupu-U62}@cR}(lNZtj>)YrQpspegf?#TtI2d5yB@j)haX!i{gq-?*9_Q&urMjPKC(EP@fk4moR2z4^1)s( zSmuM^3B01g|M&mqgKyyvbNVy=pE>@Yt3m6yZ+ZIjJS0umuVI#IPEqiRMfKzeHkeFn zmgoJ}s6yjqt!4tT^6T0I8Jn~r>hkEZ*OrY47|JwGdRbRk4*Zt|iK&x@qrg(MU&M8%; z(5G7JX9Ibj>hKrjBvC%z-T^S7MNJ`J;N7B!6q_3&Q4)sHW?X>u{ zJiJ2pE`i5_2{6l8`=}^Wl!=@#wZ-;P?4m29ifrpS0&Jt=RG3@>kSsNL3PIj9XIR&J zx(W9$^<~sj;VWYbU#oOfG=r<5>j;+tY^aMzbS7P8)B}6sEV1%tI3E$fRQm`>4cX zgmiO-fduAJsHxA=YZkf2D&5y~OLA6nIT^;gbCW&v_1o*TG|XXIv}Fw+H;pY%SO1n- zdJDQ*;jLG_X7_bg#G7S-LcKYA*QgK0DIYklQNy$!&GyOFX6vO}ZNv2@!w=E*?jV`1 z_5GUAb@NClmuiYAXj+^l?y7!dE|FC>dpkfmz5~QuVKwB>(Ym*lz8{+-IAd5w)~<+IfB#0N4Jc*>dGgeH%p2e@a2b`kObz z_xF$Jotby@#VuN@1g^2hEtfV_RfWzd?laArmc5dBSi};S;i8i}73+vHtg6Y8*K8E^ zEX7fygRhBn%~>(MdRfK{SlM#xAMqUXSPuggm9!(V8*)D)gurVD3XkUUFJuTmcz4w9 zVd#>nxKj&u(6KU+C13tRYAxjs${hjrpaUTEJznZD5q{O8bH}t>quj|^Y@K_LHz(%To8_C6Q0mj^S3$n4PQcIRan7NQck(J) z2xs81C|yrY8X)ecAt&Is^Ekn{{R02z<(CMH7T^&crC|<#rN8t7DZaoy;UpYb@MyYrjWY;1!asB{u05HU zi0m%>7hZV;^_;U{wxkU+S+y>j8s;G#EymZF@@`uR64nINh9cVKe(L5shw3O=JN4k- zMKt2gZfhUdJ`Zhe9PtbH^xqJ_(+&Hb=Q$by(ZKpkaaj3HM1g3-bWF9tDe&0fD3I?hfX5XL6q@gUiD|mJn zB!}mG?$%Ex0nBvgTuL&X@xWI68yIzu37t4y9BoD*Z)WFg5Z2jqkS5ob$1gd3RYsVcoKT@>|T;nne ztNi^%ZQ(HBB2Mp!iX!rg3S$3R-WKUPC2!i+ zXH7Nd^@^X>whiW?1y&7z_7%lLUs1fbW?BDR{7M1LZpFXT%inCW>()+oKrS=W`R&gybt10OWgYRqVSiY&=p z$!)M!x3acQG7}mGj4e=v;0w=djIX_To4aAv_j=X<7t($39SPz5wJQiQF027x3&aqQ~zM*kWnAe(E!lh_Nh3UaSCtGPbYBl#??8N$t#W?!xZYGA!&%4V%c8joU$4WJ&eD3Kmcs!+q5|nQjN{>TlHMkoRfJ}y?5D@4X9wt> z`|9u{_>^YXamr@FG1@$$M&Y@+73BCpUbzyy>Ok3I5hgP(ER*U_s?N>LF@A52pfA^` zsvfCbg;VrY?@vSZTywr##=$udQ~MPRm0)YpRg)$Sy{*@3E#A4_%~NTT;h`fkpI#*z zh)YKB-xdLMIEtpxuvg4r+liv#T(Q^(VhB}TxlaEr(gAtt%yuhYI_qHzo=!b*>5QYL zbBhpOZ0nrRL1{)8;eOIC^cVvI3FA_Au-Z+vlSPiPaEAWu_kzzb>}PI-mCuyp0I$39 z*wJH0j~&;+jwdW*TPsfHQKV=dMYc7MB3<|4QDiyJeJ6Od>NaJ6UnVn$1lNWWK6&|e zJfRBNfDo`y`7Ag*2qrX#%7c4@=_F9_FP%=f!J9m@5eH)tLGBb})XR(f+6OhqmjM5N zBpq%3aejVshDfwXr)f+odQ!oMBF)DgT$wqq-mER5`_f>z)5?x;wDUJ-s2529?uPo3 zybR`xU~<=)^xWzyP1#9@H~_YYy(HE&I}1YqZIDwHo-3>i~e3VB>c>Ut%SoTpj%$T6G48G9T@ruQb{g zRTOwfHFZDWvQt`HsLMNI%k>3yQW=|SHg&(nuCBVTU`s#assN!)*rYY>cGb<0_jU8^ z6yF@i>2lVKW2eExuxZ88Kay+cnPxvmWDoyMmP^*0#KL89*s?5l%VK_@n*gYaSY9Z& zaVVaio*ndQ4@jfgRN|`sY$q6v_;qoJQd+yGM@A-LUpLygNR! za@%g)6cXrzav*PE^9qvcTD^kAD@bbHopi{6RzyfxKR8NUI*+G3o~o?X<0+4)YTdWw zT2|$_Tt2HI!X2uZv+xqGRJRjWqr81eA8I&8=_rkbr7hEgS?DE}9U{e0?QLx}#I0p? z>8CR{^#k-5s7Itk*|`qFfI&z%p+|FLAUkTqDIhMyTg$S$6<0x}C-`(`vIMqL)gsl z5;O7ehC=QM<#qpM;bf5VN>mJ1iJ8MsdTVl_J7 z_bOU$9=ft(*>7K#pRrFW^_^T?xz!@CMtdM5H{>VuR=DO8Ltyj+K%_}{;(qru{c&hWDl^zoB*R-nZ z;;1_2^?1tTsmfYCp7MCA)_vz*wp>kUuK)#>blb{L?n+|4q|-DGdF%rH*TLyKEioK_ zM|DLb7tvXsFFPd+tF<=dr|(>@kbjkek*`(iFht_jN$I~!$?WtbcO4U%egCB2UoJpm z=uBZQA*Rz+*_4}GPdaUW8#_7(IIXSJ{&ks!*Ee>GZS4E{qnmOYzrljXJ*G|EUH(B_ z{0N@6i~xde;S?rKF@0zB@U>-Dcuv}5qefs={3AHa&n1SIk7&VH8;5QDR-YoR zC8M_3HqH(dizEdSVijw?4Fbr38g7WM6?m^3w!AdA zDrIZ9l|zhps%~)*JQ3Uf7W1@=n$T603oPlAB1{=3eX^l)zuAX|S7uszIuN99ZX}f*q0RF*IRc|MSIQ}ayh(q<$%PL5HD88%!NG#NcEVkYf z*Cp<aRNdABfez|3*R2CilK|G+DXK9u#(+0*Vo%%0k#foLp;}R9?nII z?4rpw4;63px{vg7y2x9FmC7pxw&?7wldjbNL+5{hLJu6a zwfmu)_qz9OvHa@6DMI;Hyl+bnTkyUue+1u_Ah@k*Hu^-B0?cnjY2e?{#WKs`@7gglM+)Vpsmdc|dW)nNHJSyI>iJM%`Kl#YAh)v=!zaJUA z=Df(4IGhW$K!f`tlM9#fRv)%5Ybn`13XXEax${otw;e*a&)e>$ZZCEJ$vKVwrEXip zpG_{Gt&`|d?qZGPntYNZ!QR-Yw{)=QVgC1;b+Sgfu*)bo5*H0GkWA{rNk8Rs*@2C( zBgc^O{Gy4S;o$i1Ze|1Qe^0rK*Wyd?cyY~g7ouw)+{rfW1dGTU2@K7%D=W>jE1q3Z z<9sdbO5PW{BD5JUzCA(_C`!U0m|rHdMH<2J;@`;Gv#cFIm4_puIF*@PYJVjfdDyJM z^>PwsNm#Vw@(PSztL{#W0;_z;AH`R~GgOvtqtBSLFPhg)u;0}+N^HAY$8ka@C*R5| zmh)^y+)e)wzNchG{GZ4xFqssIxDfRBPP>DZT`hca-fhLo_#%FydG4yMdG5+}AD+7^ z$Jt^UB!z}Oa>VA5quo|Ka_nIX9yvZ}RJUw9amOV7nFYT zzFtku`+9j_FYoIWc)C(+_wVav-L6W@dn81YkY!=Ep4W^Q zO9C&Jc(G)IEqL=usp2wMKHNDcD25@QzmO9J8kN5rEXRD1>S1H;-R<)qbMEUJRLnB?T?WjkH2Z` zu+QSf726*j9>^s;?veReC+D6dhIo;9ZUP`_urP@|R5oHtzXdMVuZR z0Z01-Q?Yy5cAw{tV-x8}7qDV=a}Oxf-FXF%<4R8|#}J{twfFTFhAeNbOQkgdpi6M3 zobg@)u4K8o9(yR*4-N@?y=9Am%?`|Y$YhfqotB-|GWrFhOWcZ;BsH{oRMte;-~ozF zk;~EnVq~VA{L7w+RJk=H>@6U$ZHJLGW7Bp*Spm*_>gwbuB0lLgWp`hh z6OJ!}aK0$+_DcWbGP|O1+8hP%7d*R54E=EYTDrON3*)0=$!rYh3Wm)nIf<0T^5tR? zM_N4r#B_lCWT>}FG)TT8^tqaKr|z^h4=!2D3oB@`94}m!E-x{uKhXOkx~U`)=`$1X z1pq$G5C-mw`Jc*frRSM8oFwiCC&vim8`S3jFXPn`UM=C(5?(D~?@A(&$2#)U3I9|? z4hVXX!2?C4bQWDE2z&Z92~J+V6$0&^kBRiSOJA$UT^@JUy7!(YLF1e(dY3q{H|rgy zHJuu9(Q2a9slu&dh~WL<@sWs=Bo4bwYS3FgUL4nHsUO5bSR!KQ`6}x{5yBl}$60P| zqDM&AzyWONg|OLFfj>>>3zil0uv;u}K`Dpjkn+OtN&wnibST}xucX*LS>{(py^_^o zg~>F#qm3ARR$aFIQXf=qn(mz<#j*ntXki>ypt%=FD0$diSHd0=RYjx{^SLInfzd*R zLL6Qc!6atMHP;r99s?G?#3<}2?k;FB!;*9JC<%osS=TI#U^#FYsnAA94n|b9F4O7* z4I}MN=R_--g|0)hsoO9Z7&;&-v#siIEZ8;M{?e&y(@W%76H?TJ6fcB-EGP)a5q2cR zS7`7R8hnKYV^?3H!B=Q_P!$>o$6KS}kCGxNKIw5@;i?o<&uK?Xg0&swJ~7s!z3H&q z86npRwFZc}*t7n@@~h}8iFC#z|EOw;^^+C_u=S~-g7nJjZHONqwrLl92ORpu?JgF9 z>Kn|%=@m<&d~Ws=RWQlu>trUcKArb0An#Mn;9JvR^=VvMujah~u)zw1OW7lsu<12cc7Z1{N9xs?i?M6~S31Kz<`(?V65=f(p~QQ_d$qZlWd#ffnM zz)RuCiUYt~S-h3STUqW~%#iJmWo1E*#G)Igu@)WeH1`hMan6Hdam9FUoK=?d{LLBt zCY-(VU~)&^M|jGMy5hvJ zS!c2~g~8@gr`=XO>g-_)9(6uw)M?%Im)qXC^?%+rGV2`IX&kyz@BZ`Cxk#U&Frj&p zPv_(J$47@-=f}%1rK(AAt4SDSoJr6yXU*j0I7}t zOtYWzVLqb+@>iX&NP)PtbPK|R`b}x{CM{nHJ%mg+U!)nmA_2dA+VS=sZkF|Qz1_h5rq`crvD{C?Ev+0j z>(p}PiY&EM?n&-kOMW^p$=PuQ_9V-*V#0bd{jr4e!-_Ak8dT zjlHs(ZcuLMtK!5CYMF=Y${K!aP9=wy=gWCGg0JW=lL&Qt%xa?7ZMq&=@+=Q2?T|>r zmB!IDvQv^hP^L|I1g}7qb$|jnHES2*dg!eTDdb+ns0m`61eXN_MOw*pS#Z|TE_3x~ z!Zn{|*p7I^G((z%l5D9dc*HOMGJ#FaY?)5{2*CumJr1*qve@&Jo}cvmq~|AHyrcWL@)QSr=k`j*`pl=;v-5WNX3qbh%sba zArZcSkS`!q|HKy%a^8<8dF41?TLB>#&5Tk6SoF1s6t-SvJY$Q#^*3)|Oe@U|ChS76 zkMR$;X*PpjqRb-q5N#2z(3_)!ldXI5Iore#rn^zhH0{49s~B#gcV)~&^vhRwPjU$e zRIAA-$Dj1aGMjxG4$Ep9@5t|^crV3!mc~(vm&A2jsP=;xpSvOuawCLDe`~~wHB|VZ zJQB7LODzweFIJ7D)iYZPT16d|PrG?Dcw+b)DcfnvKJ8uWD{A(E0l$cS?i#C{4L+7#e(IVLPZpq1jA@Irl(jNGs|njs0%?eKa6f>H2Z z)_&`pCMvZ;Fu;e?H#{W|Wqvz9KRH8WR;1H37O8Rn@k?6Vke7SQ@8AN>L8?zHX(zg`5X%~%gQH@1z; zW0_=;#JO=6E@C0teZ%57z5Q9h4R-bOO~ih_qP-ih!X!-rO6@u|D_rAp1Kw#!lV{vj zQ;bS}Gv@-b@X)#lSwSgY#c}bw@-iu?1PT&7bW$fUbTa__!!WstvNXXG5_Fl+GMr`w zK7W`ccnf`^p{SlQ5}Ms4-#4I{x0oN7P0-URDYt=_X@W%y&@YKp(8hxf)xO5%K%4R! zCVjjU+ll&g;hII-avEJ8Du?mwk4mQw|9_E2iH&dLfa|&kBO(Vk&u|#wKM*FDSf7F3 zQks-mn+IbQN(X!i`SRi-`qDWCGEG$Z8=t>k_`A#$tx7#$zJ$7^*u*I#lPc5!6ppOi z;BbK(mm@%=_%D#aJ|RZzR0XMnBbTr(~1 zo_^{0)~344&AzEa7qoiHOW#pPS%z1(G8#sH^ERAZrRlX*V){?KuTyGz7F>o&m|@MX z5Uw?$Gcjk&ls3ZeB%Rrpefm3e-dt61FPb9(DX%;FbLx&dj^AsKwC1%(UVG%VN1}1X zL+9HErZnOr)`=yqumnZrPW*!}WYhg{!?`tw!6R^z1q4==x>v zHMk3(!8I1|;4iq|b$N&m9({QVI>Fo8q0H9j%_=s+wj_v?6H0f$5a!8Dm-Z~hIq$zI zBeTq6XBG;+!K*N3ozm%f=7#+sxa)#N9l@Ta-LXmxsVbIYOe;sk)jFPZ;@%;IBkH6jY zrn%RU1nd+gA_7u3CnO=zz8td;*PU|NCDvmrYQXM+*~VGYEc!K^y$Di|9Hetj|H_ zpT+~~&{>-aTFmm|JYz{tvXwIb~*6Z2D^qo8=%F`Jc^g5_OKQWirr zAGFgD-KJOL045AH6l-k#xzz+|g`ApnUo9Ut{Fz_!7eSFJLlvr8@L&NS#ku<9aw4ge z25bTR;J4o&@vZ1)PQ)bHVHz*z`n4aH*0o?X4-1Ce&j?-5<^6?0=enJk*offZ)ytKg z%=D_dm4W%fM&-Nv&wqdNA0zzgZ+{!0@8{j%+y5Hz>$fu1S^c;guR!B`Y{4c`9N~jq z8TPRGNBhCMH?wld_^kAM_jJ7D&He;VLweuk)2ndK%3}jGlpLHKfBf#O_CpP+9&#Q; z!;|Rq%AJF`dpkLthhGW|dXBmOhs=P5H&63X-V@cugo~n9REUw+6gkR&Ce0w$3gV1$ zC7Wp*`ecjfW3z*%iJwCll%9`@S_q#?Bo_o9#jLB%^Ic+ExOa95csw<$;c~skn*H5sWe_Mo8YwivDR$e1)y;E?dQQNKEamTi8r(?TgTPwD08y(xW zZ9D1Mwr%b7`+nc9e^>nnbJjY0*1@VZpE<^LkKss?>8HQZ)YsH#_f+E*JUo^5hfsr| z;IIJ32@@zSx*r={H}($iUgKji%Ao;SO4WoT!2^w0iozn-AGF9@?iYTss##iy`#JnO z;*W6F!0kf*o7pfDbH%Rsq%KGmg@+j$k2H0I#wzAm^!m)v^4XfzrUYH52{Hf;gaz)n z3?x|O^Zn@ox-h-l8mxu7?uTOZE<+6Qrjv$YDwL9KG0MxJLF9e+pO~xOcH;QQVXC|Q zc9~kQN+t}McflEJB1}~})5R?DYH3DEab=)WDQ8xhtRP`-NZp(&I0&=+poJzYQesl# zaWF5jXIpr^9l~<{K8j`wW-xUt87v0KQ7g)x`QOTFLi5B&?^@R?x+2iIW`~He&LRD4 zVoL4hX3w;IGLQZ)W`19Hw~~Pk=rQjUuny1EAB8ULx1=`E;hv7}6p+cllPMo>cMzBxBg(wRDNV~RqMmT%R{SwNvruc03wm;D7x^X zae{L|fhl?23BZJ@0hgSzzIDt@jN;z|lRv>Rdb+_A>ed-@KO-TAM}6m(6U9n@GBH+y zyjs=p#si!hD>%I{lS;Qjest!xM1JEQB9Nr$?PTepvAr93wxR<7CxA4(g;gaWClQte)An4NG<=`Fvt9c8f-vSgyQH7?hwLXUCem%wyG$ckb7PNyLkAAP6p!&hVhmPW z5_v)Y$!xWWVajZx%i@W_0yaIBKQKQyFw4Y`^UuI1-ts#>-|sKxMJfz)zurM6?s|2s z3FXb`s&)AjFX{FW_WsOk$f$byv-PPg(sFyzeXP=#4(hMjo+E^5dBg3ln$zjrwpZe& z%1dpqQnY<`CnzhGqlezLh?e^6P|)VQ+eOKuX7(*%dS2E3^N6}=&q8U`(l+z{ji&xJ zVBSN1@vQq0VeoAi>vPgfcel7d}0(a&L=T2f(#L!_O zGks=dCzxz8UW?<<%xtU3CG$V0_YoMq_5rgabkabqz0&o3xgU+&`Q5x`5ArbdfdVOA zEcRPwps4$n8BktwK^n=lB+m_XOyBuU zK6}1^!GGWo|8?RJuW2M!Iur42gF5K{#|90MSvDj^QEDpFCB8a4l%VR`X>EGFCUKIe z9x+LVOI;`FVF~!9fKIz)kKaHveyd{3N?%7=pC5=FvU_r}B9ILp%918cddfAz2~9kD zh*l52r}%RFZGSfW-n`@%N*dZ>Rmr;h1FLBx5mKuSx`<@4E7hwYmL+frX*Q#5d z^O%Er3SBkpT6Eh^eF0g`QDmF6K|FkDJ?eqGiHomp@}{}+Kkn!39aieM`zbnPVfgKS zCM;4VJIMb3c%S3{*ZVwe_^^QfrTCd0d`lV{O?lASR0OtO2N6-4{yPlmO z938qH;K+lGkUI>)=^16lnC=}sV3%jM_BOy`;gdBNb(LQIU&CJH{g_%t!8}zv&%5V5 z)TanEd>{M;{W(vi2(6$P^BbDC0F#v~zOsYQ0100$4%6gVTqlYJj^B)V!io?2uh={} zAfIJ*<-g~cpgvP;R_x>aEwe?{S0ubn5TEhG8%0gvJHfSGd>tGsNx*KEL*kn&%D6hk~WkNu0-X0gpDgkd5{>Q=Q6 z-po>aT%c`@v6k$gT+=i^xW%JAv=N&9VcAwVXf4))#V;4lI!WphVqv9MCp4suaop3Z zWR}r_NN3zLO}@d39f_hKW$Mg8)pPKLxstjfCI!nf(p!ZhDGmjAG(7fhGgp)$0HXIU zCWUOjnLDzv^$i`G>xonVO19x|ZJzH=vlo5(B64Ak zZJrB81h#TVwi0~|>P$w#b+jT~eiCcShB{Vo`~@@``gjh;=I4sL&wwU0x!CXEQwWdo znly~&0c;cBBS`Wep!8jP)BGA2FE@XU*mRBeST2rg-48UY8|=`EslOVvPslt0YIQ0* zPa#Jt=-uVB)tl2jHa{iHLCkiO)PKjbet+z^9Ke$#Tf3>v!oBy2+M}UVM2vIu@lx5 z%9G~EAk@`1p(ju3Tr1ECy`5wuT#sA=u$eLHMB6uv@$@1E5G{Z+dN}Z>%>ciejI&RS zBUtOd)4ZH%w>hl1!q~s$DEDzQVYN4MlWc4$~ zj(Z65pNVdgZyib`m8u9vqf=q4-;|Lftp;l3URsi3A&>C?xaYyuWo%~O?)e0{;>Iq4 zD^b%IZPEsE5TKj_U2T?JB!yug|+4Jp7qA%fInJa!!b2s zYAeDKjeE48LC=yk&Z`D%qI3P}eFVIdhk7`TlI8%sx&Msrh%Hwaq6hu$fjzkW>p zc=zw)pgSB~^gL%W_?rxoQMHe-f`eM{N>9gB?>pnKHDkC<4m06sj4hu238rSwav%nZ?etLe}yBZ2O~BPaT=(5=$4J% z*2~@l^2?~SZk4`A6Pa)@hyXy7C%*1~Ni~7~6vV-+TXvFGWo;P&OtJ4m)`!{-Vbv_C zy(%rg5I8lkSVIqYdII-cQiAR3UA;7J)R)4oRHLjqM+5@vytHz__XuR@^9?m$j`;1n zfaI)DAp5&fZs>*meVc{frFPqciAokT^R~ijAS%`2;o4g(dbPG zWz|6VB$S##7a<>XZI2G+iN?XUb;AI9y?Wfs3FQGn#$@XXE1cjj+aPm>ZW^fXn4PB9&&TZ}vsRT->cVKAz6SmvC>0*E zIIz@UD2;;ze7YDCEYlZ_zosu*FZ&%l4%js#gGK9(}jpYa!S`6o29d|JQ`Vcqk zRMy*40kZA4_#lYP>XSj0+5r^aNqAXtpR)+roREh=Y^|cpk}sj1%nKFOA#UXMgD6wB zIex18r|Z;d=0;4piKER^&1Q9YawPFpCw!ZZG8@|EpZAwlOZ)4GOVZ}pcm=tS;# zPbbY04d=<85aB~@MH0Fp#T1XzSkTiM3Bg!0IV$mpKSPMkzEJ!|uBDI?ECN1~Tw3HE zS#ZB>Elg6r8(3he&|eXDE-VnkfWL+iX?)G`#-G0mc>UrQ_(c0E~EoY7P0<4C%*R zmHwvkM0+?7s0{X6zYD4ZW8_(AF@BfNQEpd8jRx`_)g1!2yZ|Zig#WiJho8G_gxw*bWXaOjou{){t-tKbX%UCUEK5qQQ&-nh#Rqm`wq+&^f@~)37W%} zZXLEt&A!ypEs(key`QEH;W%t76c+wFg{F)zqwkrFVD&z1PE$A%vYi!+gFg5Nbi0Lq z7l`NPnQb3gdKS~QKqyT{t>3dX+p(U|UIikxP7jaN$>v7RynuKA>GEo3ZRkj+SrFh=(5(K|_L%mzyZ$ zLcLvLe0r5I>oT9eBQ?(Vgcs$o|fMqVw)&jP{s&?oV7Nq|KG#ZJ925+2(D9!e2i!+X*NR zdiwsLk6t1#_(s3ELgUdQA@vG?ulPO{#0?J?sq@P21G)97RkPBGw#}G3bJVF~!c(Nr z2X0GT`^l{BIllJu?Wd=v|qLdO&smFY|yTWKyKfaJVUYyywyV-*nLP!PeBwRoPZ8pZj&PD z(Z-ie6SYLJ0mvdvzI9P|+L0FD>XjXrxFTEaHOyP-lr?+uirAThVS2R<-u1f5rO=lr z3*`iJDST&4FtIe*LX|Fg-aXuBMH~I*7&2$F=DqHA%=H?+<|Z#(93DLSD)mc2#|zF* zj<>v(p@5I7DtZ02g(PLP6_LL4o*x;gKW1h|szbPk{Ba^75r!db0`6c^|6uYeI^LZ! zN7CuvCFh};U#;$f=~mTe5KnhCU34Xjm8qcf_!!07jI|`owfOfVXXI1mN5-lbJf&Ql z0>D@;WbD#|%_MTpDrdDP$A_uEmkzJW-g>jArFI-uT5#2`((Cv-io}AY0mS%nyM$y? z3{ZZfJe(8BLZ<7m;;)+4?K1|@cjy5?s#D4nwXM5!c1Dqqf9WuExYF zi+~YUb3TNTzCF4|4;B6`*L7lv6qRH%W8h|eA1EgWVE}a!L_7+i(CAON9gixZLLUXa zMj8a^Swk2$$_qF-dnee0J8SBR4b?@YNy$;G?^X47tzgeFg=P^?!Ezo;%o>Ap(X<Vo2C+geH%BOBZP~SmN zu3faKi6}aztTm01N8#-)DZOCtEs4lnBa-OD0zzkvUP)vwoW(h5H zR0i7ST~5ce1&*y)S^Xh@S6_+hHt5*!4~#o0x3q$&De-Ks>*)viL?p*LW`5~+P@bvO z;Gblu7#TyCx{TDWysFfO?Mjs9nG(X#eWeM}-L52~NeT)RmFMho<8J;1tCI5#i$HBy@6Z37$}9vUeE zL##{&uWMFN2l|b*QDR)0Xd^=|J`I^71l81O?#_!fxEHd+ebDw^@61{SH>|T`9Uoq+!ebCsxF76PLiQ`TkYuxuxSE@Gu z)2#i*mj#+U_Bg9x|@_3RxA$_5RXIuHCZd)LGb8 zhW*c`Ia)9mc>22IaY?+udwGCwb}6@4^IjyVzGg-mG#Sy2a#FMkUsf?6R=+VveHX@f zcVk3uR*lM*KVk?8g6CH)v?CfscSJb8E!LCMf&OkD`@<()E6+LphJ?#~!;#0Cxjwbl ztevxDY(-9$98J+vki6Dma~5T<*14pii`pQu@gI;k=DAMg=?xTPibbo|FKOF?;9IE_5w>(9BdN zi7gY?9uRN9orsOX;5&ZDU3MhT6LadOb7x+L;ar4PG7eOg35!-DZ-NXXiI#ZD){Fn zJ{~@#BBkAikoCE@7{-+zfG`(%_18pYqC?}o($@^|Q z++-2juAbhpZ^^l^^~m2RwHk}2kHX}yqGSqadRWL&a~Z>B?Jk7R+8hELvE^6<3pS>+ zSA05`_X^$`=R_=hhPF~Wp$6#IjN>a%S9*mkud>9r6QNim+>hNcWow?(13Y3K_h{$Z zNJqPET`OWOck!`VMZ*Z$sXE};4HA>u18rCx1(kKO9ajsMcX2Ks7Z`n6ANV3XMEr3renu9PpJD&Ct^Wce6n8w67q&82Ccrr<$1` zx?Se{#T4nDTo(vd^!l~b`wd3XWYU#dgHdKEB$Vhe8#z7as^EIV-<%o^9Xh=JdavWx zHBI5XiiXeJ=yd{Kp^3iQ#_R18svwjBxx*+S(4|8&3kIOYmFeREukT?RS%atpro4fG z48ut#7_iCUh}X$t_6}A6g@R&FsJyDmJZgUen_rVXdZiOUx)Pd?9v@ZOd6ZNPVUFZ0 zNdy(5@R-ccvr^!K5s zB2Vm0Nmb+emD}XQX(PZo9ghXt&YkI9!|^Vtu3;w3sA3JoU7a2m;(CeEd##<_wsLe7 zUni{;{^dc=WII&Wp6^MFybxBJ6&7v)Afg^Xfru~f1J_eWE8QiS47AE)#H%rzWf$!F zJIc}=sZG@9XW>4aA7_W)!amo#2r}V^#ULTp7D9P~t9oh-xU4f`U@-Htl-A4{<=QXV z<1~z;^s}BjQY&^$=;L-e#H%=fk?;4CGBVrlBqed`+>|MbsYXrFMHq%1hz)>k^HT^;ZiP}k+5s!5dv9ak-yMI<;6GBOPzMr(Md@y@<^fuj|U&e}@^RdF>f|#N3vC z#C#bxU4!1K>*D$VD_PbZw)1-?t1;-7p;h0_wRIxp``Z5K!X#vNw{C;N^Hyk+u&ol>%O|Ju7mcy|%e7r-= zgJLZELYXG4qIH>G=&|qA?Q@M3rm<0HyPnDfYHzsg- z(Qq~0P8=OF#TDQoH0V{A_%z+8!_}s2${jCo4hC_!7FVl-yDUyp=w|(XH-L2KUKhDG zXMrXD2iU`%`*2cuUbZ`ZC^Ag1s6#m!?~@J@PHx&vwJ7$d(Jb1ORtXN)AenDS_LO$! z969)5N;!B0DzFho2AQ=JPQI{=%1Sc|&bE+wT}bQzy_f&IkW0;%jeHRt;+G`e@}eIi z@cwg&XP`vAr9T=+H*`?lg48&eYEaV;zS>dd-gM^Y#Ze$*=LX-wOyrQGJi++%>o)ddv2~1OL6(yIlva4Ib8*x$l=FJNNIGBlZu0J;!86912Yh z$NKU0?HY-r@L4pr5Y<$j1;~tU4rmr_0G`w(#T(8hQ5D3(Ly(6%8rx<51dh2<1s%vi z?LXCojOelER1-fbv3>Ntpj_!JuxY+o?kfgOebr49LTZ`2wSFy}+=a)oH@+Q0`qG)8 zPYEfxDxBf8q=7(HK+REOHWjDUl9oscchr6UM7~(7Tr3mMX|e4|^PE$E=vJ(%*k$5S zdV+J>DA(?|uRDCOx3`$t-4&oCCkQ%$8koJk6$8I{s$M-wCVVs5^x~-geDOSz%DRK3 z8$LZ#;U|-YF`Rld&S8nG8Y4lJ{&wsb;N9w!OgSYk(?{Yz#1GqnRMr|d1FW;>M2BN7e1rBTcgXP>QrcND=U|!Xb60Pk}x7oSA zR2XZq1K?{4txCL4a$Nwnq4{9hItfwaUwuGk`N0%P7#Ov-U7>8kFxUoNcm1WI4tGF{ zTIX!E5P(=;um|I zQ&voKus|K5%|->VnEbF@sxtYn~@ z>-2*^Jo~`^Hu=T=L2Dw9fsPavq=zmF7Z*PUZ$C!oxKKCWg3 z=y4P=`RcH`r}{&FX?H9ujQ+!tmUW){<0nn$_Xq z8bK^D%<-3bn2i$C>!SgV%YN}bU01mp#s2g^4%|+@P`{wrw#2$KY&vV(AkR~3UI?I$ z=Pji)y@Fg}LU%CTmAI6)+AkW?Id+b1vi-AjB9bD;wdr<#;AM?0ZQ#&9Bg}@w&Zte| z?^W=VIqx51w2C1eb!j#VwtHneeTYV!BPSziGZtd+0PbF~Yt#=Tq}-_*YE`Qho#qpF zb5T~_T$a*@EMYqrsq~S8MquSdAgKNM3Pqa*o&Y^d+BYoJf}h3QhJKannlQbf(*S@G5r;Jfsg;-Zyvsrm*2_v zBo-;mtin(2EM5&IFHTb3OUpt@V#Jq-qfyZ&9ze;&d{niaMRT*-jGVSL%98#6zXjW)-ya@t8=h^3OtCTso>-$WOTS%> zQU#|UYh&IaAa9knledC`mMs|WXV83fOc-Ye_t&KjnT*{jbR_TcNbXS#O76DND!mCr zPHQ9nY(*3-=>DZYh(+ZohX<)SB0%>K2d}h+Dyhti9xLAHz~p9pk4m^;DXd;UrEY#5 ztMthltITlB_@Q|oXuum9!}{m_Qqi;@^+MD%-Z#(6M$EN;@|`lM*=oc}8hvftTF05W zYGK?OK5AS4u1-_ixgKo|h3q~ry-9p8Rl_O0uA4qSRVdTBUp~9T6Pm&!El=e7njq!x z_NlLp8qVakt<$h*r{OGxYxaPPalf-t+KS!}nnAo${oSJ@auf08aL2SE;w*WyUM64a z4&8Hds&(R<%M3$Akk;axdD{_Ck{_}^z)~kiX=D~K`w6;1KpEldSSnG*PDK$@n$5sC z*|AjiX35Slgu&BgE;-As)wM4uxe%3?E9pUJG1S|%DeK4cL%aY=E&l<^$4k^0D5%TD ztn>Hd0VnRT)s&KdhIIdEY9+$@b>b-;oHknm1h*DL2f@FbXI($H1K0~oj(u;&OJ#nd z&z|X5mb6hfvRD6+Snmnz0&*V|g_TFZ>Dws`m1{6GSK`!a$^C)Kx$l^Xe}dU&`~;4B zdhDLiz$2xV|2U2>*EKM~;>NH|jVp(i?$_o6GFR4bXjUQZ&oWX+cUIH!`r$hsouRQj z9>TI$#?T;PjNH%WQy2V!shl>Khf&K)C*P4L)FU8(<_m5&PavGrq z0?w=-6uSfChGaiDmvQ%>Q4F1PBs?b7@1*cc@7X>D+9kyb*p!iXIVUG1 z01n8S&CGwrsd9LtO>8Z*wy_aQNCw3N%9^E+a0@P@+-N104P+cTSM~3I3m&v{f2;S! zK0iH55B-=>w8H!!em$-cHOZkB=!(U068fctQnc_#yaTKH^RjLr471w)ZOgN^TWZgS znjxZs8VoZDgQEk^{{ZZ%{RiLIzAi5_mF>F_b^qqS~o}3vE%Kh!lp$I(rl~96EUOc;1m0wAH)jP0=~M%^9RT{ zje1aZ0uW=rp>6ia>mLV{Bf##GrDNc~V8IRM{b8PwZVv`U?h75D_Gka8Q9;wXhiu>W zT&o)UIkhrJT--`{b#~Y)tw zMc|;4ouW-i4Gw=V(5L5a2!D42F46B*8tSr!6tYp3K*SX!zMt3X;UL zxtxi;eFN#8Mq3Q_v5_{s<~Ghx%L|>uFLDVmNgTLur=L%N@`?r{QdM zR~|y1*TZZB4%pU5YxEJ+nQFUGl5$Fy1ANbdtQ+u4sG0`qqXiwm+!!>{rtJ5_t;qQb zFa7_bY}C|=%ysXZ>Bqa()cx`46C3M+s@6{>#W8tuIH-h^Vet2=l``?K7Pf((_s(hJ zuSwX*0NF0;sE{C)uE&VYp>%x~A3@WmK?Z=0hppQwgaGJUjeS}ot@{S<3utc}m(L8& z9l=mTldO?P3ZXmWXqRg^M#|yj$s5hF1U>9>vnwQdWSalLocTsRyr1Bw=$9YK!HDU) zzcEB=g90jQT|<6EK2(hhDLFo%y6=G6SnT;*q4+81Cg`W$R(|ykZKoVKO5YqQ1o+{ zUrlB-KCwgILglSO^Y;JAZne>EJoI&$xPD&Svx(_$Y|6daQaBHrJ9!}a*d;jY*wL*Z z-X4+dl$&dv@(#oTvZNnLNh1$*zYDCfxX40q7cg#g6BvSK!t?QXzqoNxT&p6OdtvSY zm$^K}AT9%%VXMr^`bfZQiL(k+A|CP^9)-wbct>!byp_MU{}yroT3nn+Y)6G=B!PWA z*GNMQy7=|8t>95KkEo0D3Prij)j&oL6$#W-AZg7(qYXx7^^%=)o9N2CFj$39cA5gH zw;J8LU2IgWTF&Oj02=fT!-J;XvHh$o4Nfc*Of_0SVgbm|q(Yqeo2WZl|XE?{x;O)E4aH?f!N&!KPht z-`Q;K&sY!)x$n7Z24~ZiRaGkUIitgQ2mQf(cSp}e6if#QVM;&Xn{JyAgzdqwD!|SI zw!D4rziYjOoAP6hi9%;C`DwNn$5Y5sCr_TX@MkPa0s%mlJAyi!lrGS(7PL6U@5d}1 zVSSp2M+KFl5%RkNRqL(awJ!7(McK$VfxR}}fW9(U4(I>@+71?cZJIrdc36Kz8lM)d zT16&P_P@t0k&Jf>C5Gjn71AMc;-pV>Y)7w}7`=#~|p za>LK&L)WUM+$2Z?&>HKtZkBw*il%(rKGFYMniuqF>GO30@3Z3b`2j!u)cv+Id^G)e zd%tpb^j*3ldF|-2Mu#m9Mg#5NJ&}Kc+L5^EU9{CbtJ0r9A~$@qb0Qy2pG8aLx1y7? zicc>o=xXiwv4m4k1{B>MjnuOo@?+T1o2up(v5s*7m^&>5Ob8S2MoWE3kw79NGcSfJ zMdOUD7R8xn)~B}-q~nQC0N5d~;z{dGoq+O1b{U22ohkOmOFMr-LW}4#q51=$e#Pz< z8a0_mO`G)*2P&HtR8?3zM3HqsnA-~D^=WJPY}OZxKmy3r6>=JF{8J`Lo_nu6){wr% zjdRt9*ZoyoA!kS|JBC6pp;zW^W-Kl59+9f^T8+NmvDFn3!yQ^;@CwNMg-%hs1(TKD z-}`{=@?hu0@AIwo6&Jd>%lhh0bkRwBU>wFUBk984_{XP42Q~U?Cj(0htwB;F45XL% z+jX9jeGZAM;tp=`E{ye~dPj?XT*wH}+l2ZkO%KCp@953&)s#7(qlGpWkUcoWaQSuK z@(mS@O8cKlI8aTx(ak^s+BJ2fdTHetN9u${$i`m<;AA2IlWjh_Xcfd`r?^1zVGSk}bk3 z+D^HAy=aGxG|nD9M?t-%$GX#ppTcAo{pSwE&d^^zQ{G_rp!G5E$9y{jL&7l;jAY8) zTK<9DXnVaLnA)g!&)BV5*>>+Xg{+D22pz(?G->*dxJBB2xMc@=ysz5}bxBhV(i3wf z0?88_Imi9!8pgnKNL4K_t~!npiD+!lBC{fJWEJXJKYs(1R}Tp1Il2}|>D{BbX(Ab= z>5=Q)ZfBIs)Zt{R1V5LI5wNrLH>>UzgZ{>&?o z6j5Fd1*YVWBF*f%g2Pkc{kPJC`cHRp3ceG}Hr}i;QXXag%Q-gb1B-+jtO8-K#Bjgh zJS9@ot?B?s<$UUhK6o+x^pxZUO=kMfC1q`F0uothLTKN-l1d7CdWT`mzt7;1%WV@CGFD<-aqG-=f1*2L#g$T+$z-cnjWp{@Jb@pQ;f ztnx--Scu)Aalfk_au&Z9c79(|PFC$DO!^yyOVUh04nSowp)h8EZb|6qiBOSLFK^Q5 z|29)meUo)*Kx&Grr*2r6a$(;6NLF_>HSU*|4sMsW(*sDbI5Q4muHjMUI0-))v3?he zWtB3R1!=jV85RJsGLFWhn9ZZ$KI??I42uoC-cio$25@9F>ga*s0yD)j1my3x^z}9G z+ETNP*)ys{Q&Q8bZ^0hG**l%CsqkWrmr=kEKo*cg{Mk4dSXn;lH#kELJqOq1GCY!t z@!(mP8@9ybbA8{w>Bk4<+i#s+=Ol)R@P{#31+@r*lI!Y2)j91O@dl6yu<#XO4yi30 zr;Ya4C@r&`$bYMw60lUKT)#IsqK)}1kl!QcK4Cm?sbH}wRe0=KSYmLvl22pzWMcP> zKg*J7Q&TL$_G>hyX@|N+_-$1?Ye)|aj%4Z^I3g-1AD&g)NSM*b??~63L<4%ATKE$m zGqe@Uyn=&Xo&mq$fRW`HfWqem>5p2%=#FIIh`B_Xo?z~>09_Xam>=B(SMMfb!}K$p zAKi~n|Nd3gC%?|xi?=R3zN)oZuD%XFy1$bhsA4w9)+~6?t53P_U3S(E6Fq`F67 zSr|I^cQWtx>&6=N-!E(sj5b33R$e<~Ei_7aY6wUm@!%vCVK_47%2N${&U?@xe6`Qr zHJ*fk+XG-pLo6r-^~?S|!^{WP{Yi^;kuAw)yF@H!6@tdU{0`1HPD|S7g#N04rbRq+ z+$f&K==}qhGx7xOrFkX%u&YEd;Kih$&@{p*!&q(m>(S1tQlODq5=Xv{c_I^5`s`3? zD2?WoX<(s>VoEU~D@HG`$|jdD3)F?{kr^q!!=N#1$p}AU;gL^j2(gXh0DjP%zXw@I z0teG3_II+x0|r;4NB|-GIS}WoqQI;@X)2?(0|DzcV?zc38nWf_BN5|=`|DBsQHNs` z;%#7Ye<2}_3Da*{!WAawnWG$wU_ZoxJXtuyeLM#Q;@}_sdztV-Wos(d|0R5bv^WHC ze58I(<9tmo_M{Gc}3vrr~Jit7>) zJ8D)%q>&9t*I)*2C~`B8w~`9&`VE+A8H3XWR?w?BY^QWWmA&uod%?9o`f*Wx5vKl7 z|6Jj9(|Q2Cmws{kYFb*p&{6q-_BV=2BlC>wMx@vG%rw%gj-&5XnzOi;%Ko{mXOhR~ zx!z1P`$#o+gc20Dl+zT7C5xWL7u)QwqaL%ib{Zb5bKKBOL*gQ(((@;)*`$)C#~eJh zA{BwrIEGgi66RmB>oD750am6~7SyWws}}=}v%RFQjf&|Shy3R^&3$<;ZyyNq#>>6% z!#g9tV7hX2XBrP`@o>SRYxo=vB5|Q$#nM_Xbhh7f?1q!PL5s58dr$}}e|5!@g)n@` z*NvB^j5Ct6?A5jxY9>#Wd)37hY&d3@6o?Vh0hRoT$PNBmt;ZEV2K^yxAfQ>yDeFV| z@ttz4kih4PKohMjNaZUttiAYcQcI!Tim9>t?=D38hf)hTlUu{VSCXT3ShR^C z0vP`II>RTHO!_=_od1S=_gn(@=L-v9q=?PzT6?vf`6<8nzRJg6rYj_IoCD%H8wxoK z23NI$SdslVIY~TTY&XLJ^B{41_S~`MVkCGm?%JK8z)L*ToNb(Z6qX;w^n-?e@eH5l zixvyg-S65F4L`B6>giX511?<{VvydZ9>a2q>j;`Lx2*?tXakCH+uN%A+0OdvJ2+IR z2aPqc>Mb|IkBh+6JDN`+4xjBe&n*Ty1%|-LguEdu+%-_poq#cqOg}zUC%3*X?Y`um zx~E^;GTp2$6!)r7w`NdN#F_X7SVGy?gZgonK3z(Z}RIth2LInTF9iL&*LV02D?Bxk* z-dkho?@1=)#DIShI54;s$Mq5Vnxot3=5zldVo#ZL6~-QuKp$7Tz9F6*wTVfn_2^|v z`*?F#XxowS!A#P`om$bS(9wvU%0H3t$zE=6jgUR>%pBMpt66Zyw?yz~4P;S|rG!j` zWG; zcQj2X3oa_E_GN=Y|4|w#T}_HL_(XYl{1@D*q9$9e1NuHI*@tCtcZaVN#H$+a-eR)Z zpKV`e=jrmKz~GaFrbD;uY5d9iWs_c)Y2)})eNaUas7h5o&-mK<=aTM;mR#W?W7})WfhrQZu1tf~LeoQTl zTCrOPM8Q$EvXHEwN+SX`wULaSV9usTCKVe9=NS0Ps3U5@YqYeh)K*$isD=lDy$K2l zrZN^WFa~&LD?b@xGP;~og=y31cWvS7;tnAeE*=7-_C-%f!YZiH2n&TN*xoj_R>VNr1vzSf~$a>NXZDhxbUKKR7huZ-T1+MhU+*mG}O0NJz4y{4pqEA)&=P z)6ekLL38O#eT^*DLC_s&Qx-cNXqPdSLG8yV$m^xN(d5~XsLPpv9-6KaUlMVNbjS`M zjR{KfqS*7VKw|f_D>H9RS=qZ%^{fE(!%BV>UER&=oS?W8dMhvj@E*wMy64l?*Z3~l zUm^)7n|Nsu0!hF~{nep8C^XcDB=1rv{sa(dyfRp^RfNEfQ4GH=epcZqGppCEoED`) zcjz{&&*Lq0!4)D4No>U|ku>X~^uTHb2i;?(Cuiy8ZT(hN!P(rD2zybIlGlMrH5ali zU~Z5OqY}5Q4JB4j;x%>wkR^ik#zX&Urp$zBdv7Y=iUb%m!LMF&v{T`q{UP5I1CazQ z7G$d`IOnhs!&18{oYbk&P`)7|b75u%N2EyigB%yY^|M4tYT+JfTJE;B9cPwMD+YwD zj~xFAxiB$)W*;hSBrmel?wr8shf<2XORNU*7^Yo@ScIJ%Qe3HJ1g&t3WtDfr5Dy@P zSaVkn<-06^uSk=2B_YRxI=k^wzEuzh{f?6mqNaT+*3dW# z?i@)@;&U)POzV}wmOM4w?|6Dv+DCeI1A*({S5-PmTBmjV^3z)FO1Nk+_-RcfJdJ`z zT4vZdQXj(ccxn6BC?48nWqZ>O0*L+Hj5Avp(x*k3sBjktP1qCT)pi6@!95h0*kToa za&w_ENmdo0AlN!so7YuTLbU0k`o&ePUKnANWc%f{e2=mq9;*2at{LKn!Ao`4lH&+_ zsm%j?b-L34_PuHIXr#G3JlD6mKQ|2WTGh&Gp3k8zX?&SQa1fbhR3tq$6K`G6L<)5t znT6)fr35U zirJOT*^2EEwSl?yZ_(>m%T!=-xI(6LaKanXuM`M_%eQ5>^RQx&qPM| z!%ABF@Q09*1$ZEgqRC|1Y7t|l^A&T>QrfW8s~8@$+k_zylV*1x(`FtmxT;N4v!^K= zP7r89WQ+0_+W^Q@i0u~z<&&4cXTSOPX3i_nCHtq^N!{m1Ho+G8h|e|T?L&9!?cUep z8bXvT@svhP(MqI3Ys5lKAE+M>wD)jur$A7l}-t6C- z`FVWtaAM^A-lc9Dnsr67K{c;rCXo9&5E9I%B#3S{#-6Ttt69C^5ZuT%g)AQ*%Ia@D zf!T>DIkz7RIjLF+S@-?)>7aY60Lhz(}63Cfe6>8Yau4EYaXfYES9TCzov!@O`>!bk7*yxd*3Ln21?V)j-~_sKNCJ={~a zOIh}|YOcavO;+(I3#4asZX*3b_MJt9vla-hM^-w_D|Xo#8Bie1WjuW$g?l6ND4(7g z7#GYqF)L_>ii05-$+(pA1WYHP7A_(9`M?HF2dN(wLuBYMWwWae^#!qYYYi(e72SJL zq%3*n#QCcpFj z-b~W!3v%of4suO=+Z{^KaTr#X{-wVSsbTveBG(s!gp1D9T!;Qq;zIh#VvI(Y*V4oN z=k`QeF8aIhXrx*dkxjZ>M5l0&;Hg16e0@MnqgM`;@P0CC2mHF4aTzaPuL$S`sVP0< zpC^GdiI46K)5!0-uyF1=aws#jpVxlRo6jzTYhfc$1d5YG@B$<4Y%j~aHOS6tKsC{c(E z*H}HNeP|EEe(H@HbiY^B?`6!eBUT7Mim0#SrkIi*ic5Tf;<5V7P?}vqWGt#)EyCDQ ziT*IMVHjBsu6WOt7q2@(jv{Z|t<2OR?bWkZm^b-AW#y(fU+(-w>rN$F9z`7|{|tck zbst{zBDL~ky=Ke$KF>?!^Lc&Pm--;EWnIBONl}w&p;DT0L|NZ-%R%-OF;WVN&sUum z6kUMs7w6Hhoos3`1S2$Btz<6j<#FKsRYYz^(8eU(jI!uJ{c@orW7qLM{pz@8bbiPr z*l@B$#3#ITgEN1EMrRREeqXFQehcEF-*|rGO{la=fu)TGnH&49kDXxb5ZwtmMzOW4 z^bzoh=8Y{z%l}+vOkpr&E7h{YEd=|DX-Oi9h$1?M4NtzL?VFh)9R@~_m%Ph}@tm9z zoC#2HlIzZv6JSr2Z`5_3!2JVs*-(qWKPVeyg(j^$ObCS1c*Vl69LGzEyUY9?^9QS= zMY918Vs*j;+boz}T3meEKSxXY5vYkMeBs!5Bh+%P_;AqxNmw>nzuWl#9FbGOfJc z=K+kBtsX|Q8ZVR#!Q${56>w+UN`^pfAs=HyY+vfvf}4#zxRsVo`N-e0C9PuK?;|qBXge4Clu`>C zF3tVA?8>7zGHj=znOY{*yW~HLlI_a8C!NA+JUYQovU?>*t10&+lFFp-yXQz(e?NQ& zb4bxfSM%z9h%nG~dtswFVZ7DnSG8w#Tb$aB5-#)Dk7Y;jIULF@n;^4~cBBN4@7vxZ z=`dtRO0qf#c+CrGRn>vuu9W?fmu7_kVqHvA;OW#i)bXn7%m*|e5B(n^1-}!IB7a6c z(;gg^B2PDRb2Js&XNcHuM5R$vZ%ehl<~XgFV1b=F4}vzk z_3*5f?uk}1bRq*&ow3HaHDrWd`4x6fs?ykt`0&&|<0UZa_CI?q#$58r8JEoy%Slh= zD_S-O2d6q|VUG#eTF^vz3hinbunoAh)xpDj7P%4)7EQaWmn=0Lp(v}94{bE>*;Uh( z8jZomtDdc6&%D98A9fQ`Y9M)-#?S@f?m)__ zlVD#nl(#jwbf!qL7x`RBvB~3Xb7uQZgmg=Uv+x>NxpQP7#QK_}x@}|gXSG|UD1EeG zf>dN*YAeRj!s@i`ZPj{EhM1xWssr7?c<*_HCK)h@^uR!MS*#*a5XxMLAm8m|7F*Wl z3Efn8Eor@%UY9D$0+(>iRDg0TkZ$h@h3cr*BLGYzC6ZGECho(E1q=?lMosei&x7hs z6|cq1SxfFGf0`!kx#iBpYH-t{07kP!NHQCiYL;)ie*<9GZ#VHsZw^Y0PekPhk29!4 z&CTPC$ZV>S&4;soWO=-TE2zr|TWj0?RiXpQjsA{U-XL{-4`3L8U~)Ed$v4r|B|k{-t*E%Yo@z|}uBG+G~PY}K}o*$@)g5I(ke zr1;recO?w&xXkkq1Nel(e+LEepEm_TZc-mGHe+i0YveTcLQinSe#~*>yv8?! zizpOw<*9q`agWTDPzv3}!R;vg2;CZn&a*^-DG#S2t#wG_)b}_jOknvLaxdbr%n{?y z^ezl}7orq#TH;Rf8GOD|^J9Z1h1TL;8tWVjxq+RPN-wmj%EIXPg{M;q`o4O=K-X5N zj{-vbcT!;&=a8x;aL$V-p@xenk+^0T$qo(S?aNmSt0QB}DfE{IUt!B%%};JE(h3mM z*ZvjXdR)%Cp|`ZLhd6e>llKva5(-6Z^@|}E_?wfC>9J<%Bc^P#92dx-Y2bb#oVT+v7^})OUHN#9VzkElx0(wA zO%;CDYyPEI4sMf1fGFqk^y~boT6ovy3On!a#hJ;+$ZIE`Av(530Q_ED=G#D>Zfz&s zkfM2g(xrB}KbP`1mnyAO-B+j1vTR#4{>*ZpDz(#jBu!g1KAUncE|sT-itDq)jpMa=~|X5`^$x0)haf6<$-mk zS8Me0Y7P^RQYEe;D2tItQM_1DmC-=I^>>(3Cw~*K;xTl0wA@iO(%J*iz3!!Z2JLn{ z>*F-U!;;3qaF*(Hc0EVeaZ)oaS&htVPH!D6WCA(y>sKw2O8bkdx>Cg|Icwv~%V zrgY>s64 z=9qGBx9CZjBD;h_0TYK6h6KDRiJFR`V)*!&M|5ggq|@? z|BFucPRs>Xf22i5`q~j4TB~wl#>4~EX29-6+RNgak82ZmnILf*skKy+mf=H zkMI%p3s^Snkin5`*`Zw`SO^cvZFAy0O|9Ct>{5W7gw;_!w{Dq}p&KMR@N?Yf$zYCR zF$9tpja@6*7AfRKGis|b<_k66Doz?#zEsa7D+C-Xu#_{GN77S&{XCx>oasBqa#Jfw zsQk{Vow?=?&nHa4r*fK~Y{*O8LZr5THj^Lr>zRS`YOMD$!uV%15mTnOFs!T%}!@@{+G|Nhh^oUkgxq?Hlsp(9RB3osw^o8OJJf zSc2ATelT;P+N4?!!R*!?bOwLKSc5mkI#(tJb)B)I%q%l{>m0&sjdT-ff~1U&Hv5y$ zGpPia(UV|EN;Eb$&2A8!y&fxrW)HEZR_<$Ssj@!jd#c1(2VUXjGkLobj%XsTayIujX~CUhNEi@BNg+3v~3{<%Hd ztR+CJ6PBg~_7ExYi=9y)FsGKM251PeE{h6pLKgwb2-ZcN*W~iHjnve=l~?XI`1 zf?Ca&LegbAG&pbl>`-iSkv+*_$p`TG{UhpP203nm>!IIC0BRnUH8m8nH|R*- z$3^Sk2&Bh&B z^weJF@J@7DFIBIFpgPBY+f9?qnm>WnsjwXhipW5>3Vy&=o0ugrkt*>|*GBcyGIFa5 zO*)+A`j$hw@{&1~j0u)qp1&Dy|YLo10v6403yrm$siP&Pj9}#tS7rlY< z7QpotAh=s^+SQhqUs12jO}9`9n4_@OO7(m6{Au%Wjj%)5cji1FtexL6SZOdk#UEvT zkgmrkt_%Gn8z%*LIfP8qbugECyTr9Y`|Ips!Gg0R49?Hj2l8ElSg@o^;<&`R6jW2D zYuO-Te&S5d@{2f#|K{_VjxBU(i2@$;GHMH*e#B>#qAnu>$yspdPU4YO%`8XJ{n4 zf{N!?1;P*wL_&RUy$XAC9z2J)$|jX~avnS?=Ut@BbyUNLcN*|WSMq}y!O8Z8ZJ9M# zhnGrk^8JjGVivK* zY{aa;9iRT;e`3_WIUeRviY$#q9Ne)w&cics^DD7Wn9$goS3>8aju^wGctwJ9vFrrKY;BZ}o}aUl?LND5Y+-jpc>6ei7y!TbJ_$)+ zMrK1*TAViuou=qI60fUi0%lsm%X$H-BEk>M?6s9@jT~<_pqdR~{iTvmL{m!C3YY4& z2eSe%m709bd|cTkJJ(USiIuo<>d`$6P8ok90W`5Pl`NWSiYDS$^Zx`GD`itAJ?A1f z9fw}y;FhO}M->lKsd#0BA^^2)A?#A!>9k$(9hl)!*a8tomWdzD=^7Ng`DOj7H8DR` z|F9%aS5qJt!C)`~c|{p*Umb9h&b(}e;$&b>R@n{8nf}tw1e-sCsY9lTHuv8NW0aF` z4Ygi2pdnjx8#c3>XC@;uZp?Q;Ee~&`iP{SC_z5(Me1>kA6JF=wTtym9TF?m-ZN;oC zV-Idf#AG#BReW`+KN~xJGo0x34(f|28+q75N@vq=3eSX%8r<<5*ka9>9F8#v#Jt=Q z>Re$QC~Wn@BSW+Oot*yGoFOZFeS9pw=1RKe&4eAQJn;pWPpP0^h$5BFOw_%X>J9=~ zrgCM$GvQkkZ~?4)TU`|s{$5USikmA~Z02=IX%u5n2jkj0BT`*mfB{|Y^ucYg| zZo9`M_zG7I{H=Do2L}da9e`||N4aD6oNsRYl*kTEm8u$bC9l3&b|_xW!t-Y+5n`{z z1k6KS_w|ZDeC8(z46psl(p9MK*7;WR;9WUnG1Q^fZ5Qp=lJZZ}JCe6nz)n-q>IsSp z3_~|k;cu^F!+{qqaf`em2s}7J^JM)kMtnd_K%F@s%$S(qD@94qe4l3fCj~|F$_Ex{ z!)G56Bk*Wi4LQMg1+?5278_Zk^)aGk%x?B3UV;}#S2+&FiTN`9zawIZ$BEd&``>+y zZ_@6G^!DuO7QVw@0i@})$FzJ_+A0c-pD8%T;E$)cf!nT7n|yZd$!(nrf60$o-jdsF z;QiQIy_;n7q*?*2@m6;d@nBv?`CD_nS)s4nR!gH;r+sw!JL1|b9Rf_Hu;hOe$4wyF zx}tG}hwcGnt|5V6P?c2pnor(CI$Z#L@BSd`xK3D=k3IQ%0}2h19SH-=bXCRI%iUEZ z>b|jt+C%RmV#c)P#Md*QG02LI}Dwf;Z0qw zK2?wA!2VbGB`Y57){m&V$5@eMPiSVF`w~Ibwee=uqZy5QAMg@>)LPzj)JnbV<9=0! zV+OE@Ma6m=K}r{k{-V8({3De)c*%*&7lu*Tth*e*O?XL$9Z-LUw+#DmS}Ly0epvhC z$;x_te(2NLQLVOfDp|SNU7hT*+&6?>=tx_lP8-veAERby7#n^a_d`Y~DR|XWmsytv zxudEs_RNK!7 zz)-XHb9N_4zG)FVGRn;GipSg&*=vRNFX-(fd6HiZqx_5B@r}UOOE7J~ji?k+^E)KY zC8G4;mC3qK7I(Bv0kKX`#Ns4xj7V0BEs%~JG*_wTP3w{O;aipDmHfTqrnv{EE(7%^X>Tm(P^AS1ncO@iFf)haq zMAW!B4d+yXi_>KijxT5kRD%~E+1x&zPbHq4$A-%JmRA~BlvCY_&fdUQghq|pPW0Q>_J9}SBngkf_EUqHJI&@ggLcOoJ{za%{d|;E4MiiHzldftywPx3 zy_52hZ?$N1i$EPm_>~jvp#Cp47xJrgT&PYaF0a3Bzzd#}XTDiUyU6DFI!4P`6yMij_1UPn4 zA^egNIWGmn9>L{`(!9mEw9regv3~~C0Z&E!wq`-vP)g*I2W8U-2 zD3|0kQG1q(Lty5p%bN*(y;q8KZgA~SP@3D-!OH9y5R27l!tYvF<&=9#@~ab4JKmhP z>is+9SOe{30vC%NEPC4z_1H`nAZqr@bQU|3#wt+MqkABzf6$r4==T*ZtFMA*jo_53 znb8f^foPw?J;x@vBf$;mwzYa}Ww6L|l(cR!Ho52reVe7;o+!v$0i)fMy|1CLeoP)8 zjDS~%^ffecJ(^^EerS6QvnEu3{Omef0zbTw$>8;G?y*Ev8HsSSq!3nXBD3@GDsjlo zXpd=@=n3QXf0cn%G0DP4WDyAt)QU08Fh(aI0{KQCOiYdN&CcXj72VFH)s9iPi9ZPl z&WQ}L%^1>jZkXTTwjSn0j2=YWZ*@@BnEKKOKcw3~O$CnPdf@N6?7w0=>)r5f0z!+| z3=q2Z%Etv9`4Iu-3t%UqK;UuB1p6<92P`O63dhkYr7zBaZCXbqD4BH@-Pgm_{NUHa z)#+Yf5r8|^g(|wdye^uHitySzNTirl)Co8FMWEfk5o8m7dxCtcK(@`J0|i8=nFcM;LD8J#>dCC&BUkgPb?$rtt2yubs!V$ z&tPqLqP>%7#>`hxM;(&|RXAFYmJi?00V!bnV4n0H3w@157}0a-A_Cu=o1=w7JYz4M zO>gifefYt&>m6sR{^^Q#x0IlU^IdZjT$w2PCtvzBwJ(0Q&8@UNWq!|hZ<7Kjj4Zh9 zQRL^JqXc;pSz@VF#l|=8NSDkvZP*KaRHejMSfYsI@Y#;ou`}dS`4qdwP-BO zKe~cGXB$Esk%stc`qG0w<`=x|w$5k%rtce<^_#1!R9QmNQsTNthDXtyB?%MSKS&YP zw_MpmXRD$>PiIckSuN~e?`f)kuwTIwh~Tj1^-?;WMB1OT+^DsEP31irJR;iHU$;4H zaa4=$u}|_+eL8wE$NM6nR?`0r8*=1_Z*Fj0sZbgRQr9ggwvx9x(Y~H`keCgl#ez1I zj4x!U%CD?Pcf(j4P^j{ufkY3wvgWcD3D6lA~ms-Zfkntp}m)l5@ z3frx%+2RI0f4`;Ds;={)pc(I1TYb6!H{`8v{Q# zqn4A&=&np>Wy3g-_8t$Xo>vL*W$#eC|IJdb&-yfG*(TVUTOEPIU1EY)MQ!y`$qB^K z%%VTuh3d-dmL^)bWGoN=XP9j~TF+C^AWQ_Wh9x#XA}jGE@I{wE>i9qNY@M+4+-9bN zSTCe}vM>i^ZS)_g7NqkgUv0_uiN$Q_W$z>d?mhT?t*{y?jIb8%3*dzTr%O4dDin79qQ61lgvm(PL{A;gl;;#`%WNtO~=H z@GT%C;w-)1ChsUIfqW%dK91iU{+qV?xCx-w24OB!2v%bT(J=pFT{ff%>f)Vb=%yD8b~| zzh@po@~gT392!cr*GuD1rBhnT0!;5WeA(@rM4rUg%lG#KxHyeC*?IMXF`XJXgyJ2_ z24V+l0r``!adn`%;C|_@{EqmyET%zv3kPA{E86ZrSQf}qzRH5klP)0|D}RLOkXG7; zQ7(vD8bfoJ-iru~svR7aG?_8o!&w08sA}joVUtdQO z3F{;7QR>sIuXj$1F^LyJJ|5C&2@5uVh6n6FJeh&8uPjcpBmH@ec(Uz)Nnin|Xgpu2 zu#XytcP}QC$#PJWVWfJU%zz!~6Fw(01}}6+8y>tK8!yN~rVziGk;v?snf!Kx*njYk z^jk`N#zbh`J`L^V-5_a)_8~kZ&vQuJ+%>^_+uwA{&{vyHP_DRO146e58l6_4n?z9% z8<9)-4^}d$&6rin!>z0}`PqE16}rW^g|kNq&QLW!RVLT_rwA4)TUQil)j3{d7|sSy zzd_KaK#I1Z4}_c(%SWG;~ zYFMh`ADF6ZcvY-9W9RD(Q{BY`Ta)3LP>z8`svW7+1<)agmjgFQs)soBf=Q!lS`Lt7oraDhiI#Z4K(PM_>>+4E zu+0K#ig%i9Xz_Y0+}BD!qhtS5grGBXMoI4@hHLUucXiAh^L29F-Vs=|tQvmGf7>Nn zda7anlguE5wOy!XDQIdSgH~w`syo5iRPX8Zdd9;^rMJ^O8myq>>SVf<`;5c4ns+X3 z8PDS~ZW%9p2n{jQ4nJis44_V))Y6BH3go^;?246n?uS2KQdec7w3B&qmGYo>qjYta z+yu{MTv)34&psE$T0>)mf0wur&0no{0y(<=PwSm3Bspg92h5X07qUuX35o!9t3G8r zCuEO|N6E^Uol*d?ZSGn-GRS&%kO?VIOZFf-f$QNGY>1Mu0|H-Ll;AKet05TB)`=gG z8P)N9R&hC0yN#mM1eVPj!BrEIepK^2qd{Z$j2!xhr~w2G8~xm5;LMtzJ@0chl?kKePZU7xm7vq zHexCYs@Rc}4{EbG-g;y{1fo})#J=kbCX8(}PS(KopP8)u%o(=#@)5s5m6-rGpXf7w zj+KqlPg_CAU+XcBD`X3e(IHbR<7oCQC4$rPH9TKK*;0zkAHXaJ_DU+YJi9acyz|%^ zKFCx*EW{FFGaE8<#&N)XBq?W9Oc~%QnZORjkwkbQqM=-RLe3*PV9#XOT2&J!$&FJ& z18&xP=4%3*t{VlK!Z0IWQTuqTic)~)XgTN8=)H1d<~ynfCQ<~aQexQ~2=0w~d=@hv zUZ99o1Ag<*3U;75FP#%9!8p{SBjbG8S6y>CV3vml(~+OpnK$_v10wU>)zFYQAW)57 z&6R1s{7e<%2o@W7eZ~LzchoQPro8*Fjel3RTcF*i)j;+3n6la9zGcVvsQX&*^j{7^ zh^{6p{YUthkk?xiW2F1_bJv^mx6$l>P&nXEeUjy>`#7m%;Ai9=?H%85+w0d5FU8R^ zbz0RJo~_8`?r)@i&rUJAy~mbT-;7yIje6x(q}<3XltD8(CKDmPP8T2#5D8`wR~0bY z^rwHJq^+MOSQs5!Ugr)K;-Gh>!<_@Z<+nIDdUQ!mh$V*=H;+j<=+*L!RL_yhnY#r7 zx$5oHbjb?l_wvgHe$@64Ac z>;33Fuwkz-@p+WvjOYi8c3-xLGeMB=O;Q}eK%|@d6q@RUypEQ(#4k^bxf&aIY8<2B zxP=XF4X4p=&C&28s%8VHCR710VP0M3@IXhtCGq|($%Ru8g|52Z)Cfonroni?-R;-$ z3%08G4xL|6HHm86$XVJ&LegCLsz|P40I%>nWl-xm56IZm$N<6RP7)EO{d0pmFg$eU5k6!?oT=7 zOdCqu%)PN)gvk4blZYA-2FV$L#jZFp*A_2=RDCCcib2ud%>zpYmz)vt>olO%D!}@9 zmxjw567C6~cSiyY!%z_8P@UkS-oq$pGQ(%~#$X1Ol{*Gm2?IrH{F}poJ%=iuH)LLY z!hP18_yWmUuZLXZ%h`M{(VP9-&=#{S-Qgm+eKRk&VMul`IkBH3^hjY_cf|TjGGxt+W>KI*Ox~9@eXdR$Fuw=GC#1@151xc*^ zhakOjTizQ@o`SRV-y__=N1rFWvoDxF0AF|81iKDru3d<0c&2Fl1suILrU8STmk{#R zv;Kqy%4(u)9WGR#b%H`SOjzCY`~Ih zg7bDPcD2PDe0lj+K-?4c8c)^mfu~7k4*r3z~$ZpTC{tn+6TVaCC1Cf@Mf@!=EyO;uTXHKzJLkQ zSl(#Aq-hM86iNV>i{&30f(q9iyq(+!sBX|}dcXT917z+MXus0ZvcdWb#4MBU&yu7+ zh*Th7X{nB=>q4&RG09*Uvdkjj)b7C_;iY`6icDsl;>E1bbX)?a&IhaX5yqy|LnKZO z^&b(P3tmH>_}#ZCd-3cPRwPk&khS!Zz*9Hhu6l>OJ+Z zRW~^pqD^RjqXj8+3x1w$X}1_!i*~Nu_O3Hl*D!v>hOSa8hKkf@H-`HTo%)4zBB}_& zD#m*JN6v-ku`P@Pps74CeEj2FH0A>4Z$-K9OLW0g|Lul=^U6hV1BPwG__(3M2Ail= ztN1Z~L{XHD#e&(2HPzw7rj5%$3pMH2xl5J`pHc{QD!OW=GqP?iwz6FQSlXC)ZE4bo zR4UVWb%+l5sim5Iz*NAzDEJ0J_gxXm_r=*`>%XFajXj3egc1e3G$sMq^I&NZUivcsd;0AgY(q;L-C>r zTB5=YoUfz#&j~wlJ)UM}Rl9BZYX(%-h7kTnT?*<7Zi!vedRtLeD~|5UUof=CC>(S- za?Bls#^-;L>}WG^NPm{$U(ohj8g3xlWq@RnXMFq7@e<7sYSDN+ES$XQof)N)wI~g&(hL)uR`wjMrP0DZz+;mBsT(b#{?BwEInroAwnP?aq2D8Kn z2R5*_^M@s=FPHs@GEKoSk_~(~+o64kw@YSchWe9jf+yh_+jfvWvu@~S!Js?m*eumE zm=s)uGWNj5B#4D5>`6B5J_EgQOZaX5LABfIl*vBh$RQva;rn>Q14BF9N83c-IW~8* z;KiS}{Pc4IUz8lv@@^{3c53q9fMwgCV;0|+jgU?(8ouquD}JOCHQU4?SC@KPd*79Z z7zWh8YnOqNKx^JC4jH7&-gm)*ag~_k$Ffz6$z&xE4XFk;`&?$;*Ht#Uo@>X1mQczBMSg=hY?KkzMi{|hB8yhzUfUPG>KMRgfRuPzm}gie zBKUuY=XY3LWm^TistAnP(k_6&o$!^9W_4FN)R4+NZGDMsRD-@)#0@2!U0v{9b_}8g zvZJz~)CUy&k=221ASh>q#jJ@UmmmF{#tjK#zkluOj}OMkU(;2Tm(Dm##ZjA9*bEOz z(YNTEmAWD5!-hVYa!CmsX^J7qS+;lMXH=FBFp7pfkxXlzyWM607D;zX0cAa1Oqi1~ zYjgLXwbmX=uc&n5e>)d!zE4t_KF%0Y9-dvc*_U!)ViZlb8BQ>>K^%y!sdUbQ6S6TPbCnOR$A zRXNGMINQ~hJDzBIN#G33o)F-e>S~R6k@pBVU)E{Z*c_j_u5EPoL+9{rWBLr#D)<&_ zFSN}?+dQ?DvPxoj>7ng>r5;fv%mp>s$@ohz(R9VAS$<4GJAOiAraOxh)##8nxRqCZ z#lN{HjKau*LG*k7hT|fEKsr(Kxx~$B8ROwdFW7J+hEC`&X81zgq*&19RUh+RR z08iiK;9Q#t{I4278oPdFK$-PI5K{FldCLPwMMMKR_bkr~1zdRxCtzlD3A?v2m;+-zXfpu|l^w`b6 zCX#AyWHLe0xB-cVMv$+$;&ouDK$TxW4}AAFpqS-pUS8s9K5j#tz69=DGh$(lW{E}R zc`TSWqs3r(tptcgA!4y|newq|@{7og0yH1cN?P&b)~HNQgm;!Ifjuir9_ZH?JhOK4 zRFR`hGHUe4%4cckYHB0#G%7)I$JyCat&iv*)r$jY@LZ$ULO%|O@O1rf>dU&}j|?1u zp8t_^WqEQIa;~xL)^YRM+@tMb&HbC(6N(Bg;%dy;l2-JWHrTB1D*q0!`1UjYIaQH1 z^Ui<|@=LkIN8TWF&zXBj_2uZ2L%`$VZ28QXi5PPxSNQtv@L;r~H^Jr{uIO_Oxay)e~>Y1^(-cpv@jJ`no*v(uw{M5Tz@QONdhNqoB` zO^{*p4rQMoVs)Q8W5^#~Em;5#fUgkXP2tTPav;HzMORYe^@l+1y!ALqQ*{zWZN4VL1Z5Q%k7vNsgO9p+7Wn2P-;H?oc@Ore zb;MH+p4NjA|Cg2+)y#gdIAtiV&lIMIjio`-q)mDDD$%V5|ENbcq<$iC&i`>7dD?^| zYWPiO(#R*~Q7iefwrlu}*LsnVY=M!e0ggfZo&kF26aB$*NDvS09fv*og2vEmwcq}6 zdOKE`$slY}gvLLj8HEoX=MuCG!z)c;Rl7>GM>^vs=E|s7AOdX4RZho;=K^HJCbJE^ z-93zk5AhgwLU|)y^Wh;1$1&4J;^*V`U0f`W#7#j1S-#(RE!J)K;b)Rvn+rCnf1+}f z4qRDkt~;z%Io#YJk?pdU8p3hdvr9yCj}~?Jy5LN(it6k$u7=3tBVGp1b^Nu{?!Z88 zoR4oh&1xK*oY*A?cmKxEqL0qAL6q;l`u7A3ELIbF2rFu+Dx6Vy}HOClEfWUbMm;1k#*T{4W@; zOK%V~QUpmX4z5t~NMBTIn@Mk8MU?E?P4>vH3+_aAnKc0OmR3vs*U^M2lG`YsgW-Lq zdgR!kyEiIbU97izkSfAvrGI`}X}1y<>|GFLA`1QO%>4tI^3)g4;=3(6Df1rRRD;#% zF|ihY-Rem#sdnW`Hn#p5{31GT@4Q}k=2pb0*VwOSQza6{dSssyT)>1aW<- zxzdjU{~SMwSw7*9iaYtEW#2;+cS)nR3GD0g9% z+8(wM{>76I0j8xqREBJ|DC7Bi@aZk1hwlk7LZg}dQ2fwc1GyCJTL+ZA2YrPdi=hb> zjfod229N_skKUvRV|MHhem9EEo2nfPoBilK#kXRyZ8kPP$m06TPBL8%N`GSz*jjRgDOyG%p3CDQs_Y|KX34Q$6V zYeYqp@w@e1{@9N<=@K7pSF0$LG5V~SpyF8Y0X1JmUnAXi>u1aT1;DEXB*ESjxGSE*oaTP2XlbXoy0yj!Onqj~YSC^N@u zTPo<28_QFU*F_PNt{PI%P167I4H)iNKo1=2AkM3~Aks(kIlC(P|zHXt5EEml!^(V-8a8J#yWnmd8{|vpMv`a~cNaX zpCz3$q}8keKmoj>t5$@JgN2m`HLH8+((;N2@_0oRUcmB;n)bo+>0E6A6wp>++AAEU zYEy}lMmH=!>+DY~6=v`h&Pj|{lM*gHM73C^&6`=L&A&bj^V%WD^Q5_!OFs>p$jj8x z3^}E51GM?ssjpsKadllI zZcpCb=Gb>c#22v)^PK4e#Ay|gW=jy({u&}`J%(0h*T$}9SJoF*wnq*`1Mky%9N*u~ zX*KHTWLP4nFGr^*ujYP{5AN?WMxj3F^i?Y#B^5blk`)b?d9d+c|NcF=O`FT?C%G$| zny}kt-yD4xrEa;cwJ7~VCnpz|^M2qpWuo=>o2valOm|V>*;;L4z-#)GFiHb+2!w6O z`3O-*wvLcZ?gArb9zD`~lExjceB3>&wejm zb_YJz_nc~lhNcj>aO7Lff>t-^Zj#wZw6xYm&Z}Te7mNq#&O-xJ4jB^*izC_BM$-d8 zLs@>Nw|?MT61%+obLS7|DjlrZpmL#r%3+w$6h@_J~T0$oLSJRx)Di~Knmv$)`bv^jn2bCabSf|T~}TSyfgQpw3`47&0C z`CX;RuveCE7w(>pS=%(*Wvcw+$adcf~I)eW% zs?I4ouxQb;v2Ckj+peHu+qP}nwr$(CZ9A#h>eRij-{}56zk8gq$J%qPd8aCBKUKBb;JV(AaF;`|; zUX-kgX8UH(aqy6=85Vzzp_5Ui!=Pcwk7{w`wK3xB9@|c3+x>jXGcSC(bExmB3e@J# zYx@n;x8_7(=J;qeyvyJz*`%JO|8AaOSl*PP55>Y)LCdBFMg$ZdqbcMSTf*Pc?ezcRG*sXLj8i7Pnb z^juyAUq<}>ZE^HO1uM5kD=&OnH*bIZ%OH(`|UC%hyhZyIF{Ct|CY|jWOBxK@fcsVAZgq#yHhmu`bT*cJvG6D~( z=59pA5K(d-*lTQ+!plw?3yOw^;Nnm11&tXQt1JxEsSl30>+2b^WK~SqNN?5f(MUVu z5w(hl0$qdiu@Ql+^&)AJ<&BEo{M#0m^wJN_T#DDU(wu};WmyQqbpFISw1C+!%FNTg zH$GMt2sqs|d+}2a<1IyWxQzT2E_$iWti#8G9cn%>o#h>HUnOEJ-a*msXG8+##kBMH z!#u2#yBVuXZbbf804Nhuz@9L;SRAE4*BVDcOFjSA0k_!!X>e>WY)37$6_?BRpGsWX z3sHA^;Tfz*!OWOBTe+D4^2*aY@8sfjbOv96G;Cn+4)6eZhpP)_hn+OY_4jO3EyN5~ z`%@ln2VomylGp}o7{u`o3KB~ZPd{Lp${uN(!5y7q5|RXkyQT7?sr0BTfV6$C^B0s& z4(>&MJ9}e8F6$55I+go~-m8Kk;9iqlbmc`=U)xnHU#ppWZCQOC+eRz$}P zL87~&AjSCsx9h>GX5!@dCc9t5I7RST(s4Ug#YqlWg|Qh~P7E1wE?8JGkqU-DF9CY8 znq7WMAsg{TL{CzGs?aMw9D1IoF4KTvCfeP3v7x{R&zX65W*c(MlbBarXfT=b=0`JZ zhPY!lqN_XkGF#X$of0&zHDNbPs{pf6yHF*0%NXJGFfFA%g_;=)o-#Pu8>FFr?mAQ< zjjP4N*+Csol8ldt?g`$a14kB7-nVm#K$p*0=r*oIS)@w%CA+q)3d0<%Ao5Fi8?~zo z)?)rZVar#@!-D)n$yy&w(>>CWs^;%6$zk7Aza=W);FzAh3Jf3@)(;k`{wSBC`44rQ zOG)p&SC|+G3UGTs602k))DB{u4^FVbK#VUK0B@qxqeqrD?W17~}; zwVg4TqA7lE7Rk0Uf5LoV&WVEoMx)fE$G`qVZY#jm%ez*o z!f|x1*d``6lpGU<15`R$Yex%;^&Z*N$y*dRloMVOTNZYQoNXruOI-weXxjY-=$ie- zjI9>8){PkIac@`X1cNyop`4t(U&}`~oLTi)IQ5#X?LM_1<@i1MTZ*^GT$52^&Xrvj z=n)Hx3|fV-;KLzS>!3RVXX~I^z)NhYAq!N=La&>X5frJ04=m}wIbMtI(avrf9raoE zH_1Gjb&n~JR#7-Xe;C;op#~X@WiAy=A}WMsMs}&y2Tq}+^72M27S7(JXI5s27>f;&XYsd`BD!w*`Nab+eNbWPNCppQY)84#Q4T@5nu zRGN=+q-6QhY%?gOJ-JksJt$exH?xVeszRTZ5Oj3wR^Meb^#E4`G@y`ja=sMbMhNl{ z$GC8gV{?~R=D(f z_lMKgRN0%4wV*P8@tE5-{2&y>G}|frOAF@xH9_^}%*0IW59^yk>79r#L z8&SQ{Ez@TFo^x)(QfV*uF;*GWVnr_o+V~sZuHte80b?R!U}O^=bDYPBv-+mbX-fUP zP`ko2Zmi}js}onGdYbODwLVphWTtu_446-&85Nt*n}FtMv(#|Jik}MAot#noI6)tb zz-k@Ppq$l*azQ)V|7~H!k=UX*_%$~_i!m(BGxjCf4}I5RaLW=lWM&dy*Ob!JZ7xtR z`hvioP5L|u8*%z@iQ8F%)-a<2Q`!vrSC zHs(y?cn^13`HUU3OWk0x7Z1L9h_jY%e&(SOZVqE(m=D(hs2PjG8NgKtGlDS5P!hQI z8VRf{JXhCdPaNBf0gYBEu|LCtQ^oOl{)b>%X_OD!!% z%~{&}O()FKX&@>Vp4^~RGhd`A8>*x%cf&dp#vp(;e=NcXiwp6S9g}-0VGOd+%}|3yS_-yiRFJ3Qr-X(mK3!059t%y@Xx1!PRLER&p)*v;?=w#z zDl$Bfrij{@K}%2`PbPv?IdM8d+X6v1t&u&Wf^mX~6D?JhPL8>~k&e`t)MUkMqExr* zo>u@^jQy;=ImKg^E-Fo#9OU_Je;9=&YP*}36P$NZLo_USwt`zaI=zTR#P|*O zxVtET$LW%X7#p6%%DU4(OL`+oBz!}zp1F5Ep;J5mq2yYDKPdUMf0oh3NX|*6G$#b= z^7-taxkxjiI+482o|xxnGmGt=5i0txMX1P-qw9m_^gYVFGY#;A%yw|Y6`C;}7Euxu z*_MPl@aEbiOP-C%rGei#h@|sNr6k>QW2YN2cAIfI@f|PK`gyT@WIq`Ah;UMP+;)Fn z`y(l@hks1i9fKTvkdfO9gB*{EOl@{sBHz2RwuL!7HtrK;gH5L2uLnk^eD3|VaRuZP zn+#K=3}}1O?xVq^GfIIT?CpwI{&clkEDs}=t=!F7m7y@)Mf=Q^B$lGN$QRf<5d1!s zhZM0u&Vg#pCL@on;)^oOwU@y8!etMnp)Ce0qJ(8AMKy5pScL}ZE~RG}|GK72jZ#Sc zOb~-%%_M1w<#K}Mxy%IA4U>MB93w|x*8%3=>4EWeR0w;SQi)KrNPI5Rr=I!3i(00eFGeL^=w8#Kth!V zKIg_DLUD)OB=c1dSp|l5zKhZ1Z%NORzuAXK2&KviaSrtl_ly}{Sa1{OSUD6k61Upn z&(u)`D0E>L&9YbE47@JF1cxFJabL@!s1~I+0&c{Xgy3!eXz-?firnUKPRbnTd*hqI z8#ejog~V?AivJk8zT7BV?C0%(EbEY?UkP~E`R_Vp@?cdOvGb&W!kfEr_h8xXOHj6( z30qjSEa^Jj)}~sO={k6r{UfF(tew`T)GZZKXCtiFiK0x*m#oIWx+RU_oYrAQz3%R4 zaxcxo(fS4gbOi${fV=hVmvBqMV+K1M;)P)jvxgN12$5p}xB*cNS;-pMl}um)KHv}rxku+4 z<;g3sg>|=!QBQYGRih*_Dh&`Yf97E>D%*{mno2H(6!luV5&jq$o;epy(#GID14l)&l+ed~5Nn`-3h>Yr zQy6zH;jOxyKwk(LcX5~KbBEUHtro@O^7gJSTsdtdR}fe60`eow@?yu6WNyS^j0PP@ zxNB^*k+Z8AAnV$S92=r1CYdIq|H0QKmX%efkH9(?W?ASC3yLw4fF!5a4EGFt5E&&O3kY9P_)Pq<_VcZf#a5YMNRmz8d*z@bCB_(Ct38jWh)vpw{t7P9jxFd z>BD|~6Gb6qoF)RQxWbAE{V>~m^!>nzB?Qo?G)0uyi_932a?p&s5~C^T=yNI46tNN= zKWP*yuTR>}C6UC5{$6d3;?W;*W2$a%(q)`BeZAQ{Ar{J5K=f6ofXZmZe+YZw_dkRk z*YW>D*l*?ji?I6#re)Y~+5QJ%e`O9@2-pkcB%HOyxXe&o0jNV*n1$4|x!unXoB&{l z@bTJ%?e!k}qrJy$>|V0iQ~__#R9VTRY}Fn$M_YomeDbae5wI_pT#rnu6Id{rWSc*M zFYiRdCWeg@q=PX#ihxYq{eL<3%uwZ)=1`B0@)J)F5)$eLxCs07KjwR1HyINoV?V@b zXhidf+b$`@s% z%9rf%2JvEO1{MPKBi5Sw{Io!e4!6um2=QmIFax6qAa@Uag7twfrrqI8XslF5ZBnpZ z@1x{%veTf%#+dl6g{xDMifddQF&Wq|V;3|uy7t`lq9j1*YJoaHmHF6Ex}2Wa?Fu{e zdVoFISal*d!Lf)8SD0%T=BevdY=;(9a2yy%llqP?36nbR8yEb7#HRqJ>J0yx<;~ohNowI_?}K<6V$6c< zM(W~`efL`j>XUbNfb-3`tEWt2p3)ccFW%kzMX2FeCmD!JO=dqLh8x^}r7C88NVKcpn#tez}7dUT$tl~Np zt)Uh}slCyJV%qIn3Ny_JjjKWS239+WBBJ9Q@wxD5KT}y0Ty?5lyqXKl@jZf+cSfzB zc0>3Xiup?zA3qtt=LnyxtnY=uk5!x?ByN8m?3}(iR2#~N_h_AZGuTh<8!DEo8)0bef)vdK;oIdKTLNmv3W<(M z*1Iut2Kg{2rCn?e%i9OUqg0{hbT2T!y^p)SmePT@83z8zxp=;o*Mo)zKaf23T=Xc0l2F3_Wr;iA)GzVOaL121x0#GQj%k#cieNR8iR6!7^&^Grc&D z1{!gTAM%5$ewqiL+g)l+d({e5A!c2Zxab9+B5)gq3(Ir#6TSAJIIz;xi7;o8?ka&D zj)IfJktbB8L`%aU;#wihKLwJo{n9Iljb*1&FBP>dqN#g`fC@Wlq*?nR!Pyj)BnFGY z+brRp7Y>na`^+Y=m;`-$ka%E~?J zYpCHmjQm$|PT0AteG8o4z`GFrs4Bje_I7o-08;#jWO(ea$()0T+|k6}#PWdLtK&P# z$YZFcwP>~Q-tV7tHa)P2Ytg*<5dK0-BlNWq}BLC|h)C7U#- zHBGjecLfVKq);}(nF-BUG$LW(ZT2U|R&AZN>E6s33fjPxtTFZ$4i` zO-m|#%5c#J+(_B^hR)y;(Z!t;r_oaeB^=p;?|ZKfA3LA;JwD~%bRR1}y(XWJTe|m| zp6|WaFBiU#myb1_Y~J_3BcCQdklCEq#!+C@WE1|obhSNH?4kc-=kf?9t{VD}oogkG zhUnH(J69U>$IcaF`p?d#aMugm9*x8g{$D#+_6OqppM1KQW4%6E{y|Yiv?!Ds1e224 zWGJlJ_AxSF+=vGq+xuO)Pnp=>O!7b6E8b{y{9nkdL2HGQFT!86+7w2@h|;vmUaOYQ znID2l67b3?Q9L32dQg3+aw~g3Y{i7c#{Ku_^KCmsF<5AP2cCBD7=*?6|Jb?MS^n3~ zmEW@T&(4Js*T?!}=koutbCoOHNdB*#3ulxL@H~cAAmX)mA-F{@5^Y zv}^c^PPLsK5oUmLVd58s1IS(c3a^Mfn1STNM4%+Tr(=>`JcL{ysKg|^=q-rHORdVV zh>AkTX#E*# z?Vf^U0{efPA6;MnnjiY!SeR8{$FbGT2YP!}=x*3%{D?Mr(?ZA0d|qzO+LUIen?j4( z=j#B3Zt4(f04Sg~LT+g};%ney(dccx$q8eF@pNe(}Nq$A8)VwD0M8 zg(h1s8U~ogLtF`#OG*^lmf+Jt4E*RGmnqsQC9P33H5y&zZ~LIFppPW}XJ491KRcK5 z1Iq~^C3W2T-#i`h2+o{ZLl-(~PLm&bEz(kt@L<47+@eLfOBGd_WSp*!key%4--9_d zdcD?T#l!%#T{C<5Ym~P2fL%)612MGOn<>6nQkKCfkkqbOZI?AFG!sB5Px-bVBx52UHM|sIeLw|pR1QTi`Gg*vmB#!TpdkK zKLUZJq=O)rB@L1>YbN2|37U=Gn%42)W>Q+}?NmT#Hj;MUWZ`BZb>!b7ksbCFeSHdK zXt*gh7?AM5xi2A6C!tgMTooFG<3huEzJWO8KrY-Pq(E*ir6GDfp2=LxAD zuuwgR>9raWZK>5AZQq2q4b&aYlAB^OzA25H!;yrXzfbgIGiYny+VMvNEwrwcMZE9o zC;%CvEeMIE3jYyBr7Eqvu0Etn8m_qx3v z0k^4IKpy|v*!L*XnZJ!g-s&~#LdnT@&!RNe@1OAG2&vi+m&4R=H&|vnNYP;H{)lAe zb5Wc~=u`n_&61z`!x?n2&;YDP*(5qoc+9!0pk`EGInacc>!OS~KaSHnJziILMBN`o z(@~RAi}1HG_0QQ!E7%ni^)3?u721>%v+?Ic_yZ?%kWb3hOTHaKZa#VFR^I2iCHcx4sQGs2z!!;QV4pCEF$5)!)gxo^@F;zL2S<|sCQj=pDO77G4sAxoq zzg4(Ypt=;zx9$NUN|i_D>9)G|$80m;+s*Tmpb$J-jZlRL9rY1R;;HYy-ylvCz|qJhJp??3)q zOc2sFS_+N(DJCQqO>iJaT%6abnXG8zU-8m2WZD#s;A~jLcV?Hm(4{r=EPa`mHUqmQ znJN;dOxZ4~Inn>8tWdplKoL`7zEyRr7#*j5QfjS=FUFAyI^77#)~gR_l2inY0?7T(G9TahNi(Oyc4}sFyt%%*K3mLD2ftUVsFT+y!+z0=W2XYA419Q84;M zxW81*Jz@-SRuE{!J~uyTLU0(vIs$&g)^@TNM_z9qPsdi417pljH5N*Ql%y49VYnUGJY;EKUqI;}tj zbGX=B_hc>eX$tbu$DBCeCvkL0r4SzIz56dcVK+CD+2*f>d_oBw8D~6i;6YzwMsgY3evwDr|K$cN7Hj0^E6D6 zV+R>k+?aOFtYd4nYeaJUsM4CL8AyX0M|SCeJCo;&s+b3g0rtr7=?5I8sK(_~B;o}y zbMAMIxc?GXNMkVARJ-^UtGCE>K+!`6l;ia6_&BQ^j(9P=3j{-44bkXPN*d`cXprG0 z#)I7E06Y26B^IT2?8|ss=;`dV2p2C>?prl?)rgiq1tntSVqsX`G46YG$g7i+!DUp{ zl)~1IMr9`}+&#yyO?>b@&B5Ycz>A$!OCAyHY9r$wQ9K}zyO~(=ptx*L{CMdnk!8vO z{g)F%M8l}+dv?Nd6|8i6f*<9PlU#M;n+?MH(95AAdcc3fP##U)ZivSgoh9Qn9pBNC zgR)tW#MxONm=5=v)s?snBDx*XY;>uqtU%pY2vtX3LVmnSeROieENxrv(5*=S8QM6; zJT|luShZ5YoNHXcqo!@W*+xNtr|3&;mx<^61rUWC*HH2>!;pcA1vkVVG$V3EqCUg> zA-4){5vGjP-Ys_k&Opm1fh!l>FOsO()fI8$`1=niCiGAGLi&9yMQRX@3&~N{UMWv8T;MGN-QbhS0@`)>d zG}U4`7o=Vl>j%l_Jg*`b$}LS%&Zzs*UzX4d`cTjROW3Jz_XJfw2%2{eeG*#7C86>+ zdnO8^Uvg!rcm`AoP%czRX7=4LuHP!lQG^0nn$h9S0b-o95}&oR3RH({<$%tW~x5rh4^Bjli(aVvW^OXaVcnjMgqO{)oqm+U|>45J7Kn zy)B%_3Lp;G?PA{`3{}>;v0~RlA8xpY*&%jkso)f7n1s8zqwfI)u#v&%Xw&G5<;)HXEUZ2?BG-zzego-=vmv?h$gB4 z&@yEYlZ(5NVyFeCwiYrNry=4juu(@ZY~+Ae>ay|e2wj?F&llgfl9@rpnk7?4t&Tn= z?wFY-q8rNoju9v2JE1PVVd;iY6EK<>s=Il=Vf4G#F+`MShjGZaYEf|cl1tqbQcIuQ zv!62(&?#r8x;g8I>C-qxhTS{w>)VbBTqhcP=8^?Iy4OQ~*pV7PQW?dV<2>*SHs?FA z&vn8KqaBK8nF$>y+%uG<#K%&?!wWgNh!JN1`Sytu2^+ic?nPw_K+HSOFkuh8DL*Ll z1aikN8}Da?1v5x|0{49LbhAVBGQ-7d%Z;c_)!t)D=J2Pjccevwc^6ZvMyj0Dy01Fd zw~6aO83qz3&%1P$DqRuLuZTuWN&wTO!VHj&|4N20I4}JcWvbQOP8jkntc;x}*wpa#+AI1?5nG)weq^(G+_pO2eR7p|7av{9cjqY%fA z#>ooq@8b`6;7B#>*RhFZB=1YjXGuJgp5bN`*3cjya}D8J7+A~iHaNu7PQC)v{fgYL zD;SB+pjk2)${SfYoL6b zC&mCUuzp$d9w?;yWq`Df5uxY9>uYd3vmYA;C&Q4)YXyrzFsiHz4t{x;n93@SMlkJC zQW8=tB^mzoPg)m*(+_E|c4Sm2VVQ;y@3?mkBREB(8t8?VNd=PbJmmm@bXa?c-oQdA zdk`%Js%;YKWh*u=#3Zq71d)(}Y^P|amx+&D+LceTqkX*OVKI3MW&Sg0zB{dT7YXokiNX74vBB(SN+` zd~a7Rg!2J&qG)sj-##AK>s!rnB;ijcpHMJ74VRNhVq?iyk<*8ha>OKZBk(k0cGfkO zn%KmINHhq$00c(G9oL*b2OnMc5`VWl%6`L(d4d2y!m3`Gkd>5x_w0i zb8cdM_zxajmQgLiGA|vyEI-d9jRkB)d$t>VBIf2rRHnzB{&FP78~+l(5)oniOk&nL zj;FAp+w;D#@%il(){@zaJBesNx9fc7rdnkJtNZrpVHR$N4?|%f8bB3dy+)1A14s@7^rinr?_nK_7#+jqe?tIdM{lwP2{=#)PJOVx$5t8U~~&v3j4P^O7;dG;A;92kUOWJ z7wn!2&VMGBGZ%)y!-1?BF^EuBV(WuLad0l|Xv){9EFC~hl>zPxCD{0s z21Fi}{cD6T*b30w`qzB#Z?9Y#FpMLEM#nD5jHq6_<#SzIS7!EAF=l0w&M4y0d?7rPT5mXy5jsPH zJhDix{*b68o~GVc^AtvbS4@v1h8ElOa@UnF&yk~7lh88h=yb**wofsojTL$8oxb60 zaIzzDdgG`Q?u!Fi%Q6llQncpO;1V5Vc=2OK8zv zMEBULKU*QoH-}!LmQZX>O~92RF?>M?h=~3|CqCv$;xGZ3wZkRWkGf z@(p%BmJo`AsJ@5aII|aG!d(aX$-AjUzcK5D5z&CQjaa?iI*v` z7?{AC9|M&wV`&*;_M(w=qyCRddSd(4iHPy>)Ug;#^R7km|->NHcr-h4|E(rgN>O|70-8q<3iY$=zF@%bV|6iCip^LSpRbGc;g7CVFr8$AGa zN=+N2vC$1+-yj)OHk?5kW{Ot>v!E0q<1 z4ZC=nkX~6vQGhFaXthlWFI#RTL?)ALboN`E;X136pJ}B#B}*Ps#uUW4(smlIc-8LQ zu3rW(vlTcRC~Bp@fhX-Arb^?^I9WlwyyjGW{#wwm%= zGUxAL2yxzCQ*+BgISj0zJPPbYtk0c6HP=3@qb6*#Z>&e3kQ%s{ySJW`nW!%tvLb+^ zS^ncs|FF4m%3k5b@{j5G_c*ybGvHhvE#HH+Un2?3p-aGZ>0Oo6u}<=`JjE+rxuaA| z8p&n97OFW~kp-pyuAtUE-XgxnlpMnUq4~`Z(z?Xg7Fxe-v)P7yl8!=ETTE2XlR;oB zd9a3UmXq!*&g`R5Z&0%e0mOKNXn(ie?@jA37ADeY$YjC#u+gX{-H_G=dS%_;!uUm* z!M71footb9rdM5G*g+r31wMX=gcqoL7Vmwh!@6E&c^u|4Wz)Dy;8x`rKEX~Px@?Kz z28Ei|R=4I2Cf0GOdCw)oJ80br=1&$}Hg+-UxoRq7EP&GEu>VfbIU%X`##1#J^~orh z=?!%WR>H&;38{~IEn(~=w={2_qS7!pa599*bRkKrFc7DZmHlYBA8k;yAj7K8`Z)xu?iBVg zBL4+3`J?0821dz;bjwU1FLJcv&`otYC$_W;)Vr2z)$;J`QqMFeaN#uLve4?~thF^X z9@KE-vC2Eg4$VusM8+1A^_?rsrHuP%lfDg?0xoHH>-rE~W2M|$b#0q;N9^gj;#x+U z3OzgZ@POk{F77HuYX-8Xqp54O%qF2@!KuoO!*cAkyOlxG+!(R-zT`G1 z!2PfhNI;{xTpM4>x|c}e=)KurX*&t_QpzpZFPawkA{t6jXe*y{)$eezr%E5A`Mrbd zN+8wB){RbKJ$w3Jmq@(3hvVi-T^p7cu+@%xqL*n|DvKkwKs&e+@56jB+~Lmj1Sj2< zvLN1LVUF(m`XN+XXm?sPiZmbD8VD?8u^ z36OaY9)_Al9hL+yl}Ig-U!EJpE{{9&4U{O`xEC_mAOC&r8*D>c+le>7tHHiS3c9`2 zVDwAQje9BDu-orFc*>qn7Uy&3Stq*jKYMfc>$BOV%`M!R;w~Mh#GVmq7mJvM4V4kB z%ra_+%3%a(F4j9p?M((E^NCJj(4cV9VnT)1Pu!G+r^c>{`|f8XwML;8LuOW&E|!)M zujo5&7zfkncP&8B6n-nbw?l9P8H|SLu=->Ps0a&KL`Nj~Fw( z1~eQH)GVoGaaiFK6a1Qexua9-Em-6R4p1c3{dtgUaZnijSmq9kr)6ANZ8qeyhsTF`?}6Q)P>37c#gk50pRue4ev^j`=xuk zD^J(EOvE3|T}?k%GP&kZBS_jW-ou#Mh^a1S#7hxr^{ai7usD1f^D@z|0ynqZ_Kab; zECx=7FCSZbzeJg62VQkJ6{lwl-A+i%5c6>`M$=pMP3mEa?|4JeOQcTcxFrcWdfp6x zQ@lJMg!uIUFHYL#-bs0i>iIo34N%D&jCcBJlTX*iy@`wbJN26BzN&DbeT(ij`MSGO z{E^&!M2#W2pB8nR?_HzY;8mf!<#I~TTG4Ev{ayaLSl!9#(#|wSu3d^Xaem8p$0#-R z-P2-644kd%REU^I+$XP;Ac3V9!)5a|q6`eUu;R#VePOJSA+d!I{J4~}1)WRn8Vq~F zSfZ5imB|H`jGw-ATYQK~&(Ct)I8$1<#3LL|vmLmtXi3^z0YQ_?eyI5A{j(;XTR>r! zE}Q=6d~zdra1P0e)-A*Ut6$eG{eElvA5Se?xgKQf! zIs)ozL2)=Vb75Ny$+k=Q#Had)66>A!jGlIF%K&2;-|s3}T({jO9}yYk!{gm7=U^X*LOaPS_gtM!WWO?jX_ z>pt3><(o*~_?h)C{Biq~$qSKTq4CE(aVNNk>}k!UkRc*|hhW2o%Mw1LBoLE_sX9j3 zX2Camy=3E;dAQO&S(Vu8P+!FLe;c~%z~h;A*2O^MlW%zhpu=d_mak4Aq4<@7Nh3cl zSkr?Vt;Z8}S>hWgMy~Q4k6M{ng~nFjidx6TpvD}Qygu$CA9;L^-h@wI(7z1rrig#& zGmC4`u-xsSP7s5Lw(23Rf_=_RoYd$X9`(@aV13R=hoiZ~h&&*EF*z2~4z$DNggK37&{0-*|bSW#YWiF);K~yF~PYBiLIWDdZYEjDtB42;LDW$yg;Y0c?vj zulm=UjEor+u|x=!k9hREwvtU75#TB(De#xoVNjp8$V=4inAM%J1eEtYDu?`PB@Ov7 zsQr_#rbkzzaze&-(&bh0JaL5iy|VV2;qbC@jq?i8!Gy(fV0OzTdX#vYl%!qnft=~h zup~%3eY$X^8k^=0%?U8dU6KZ?kl#MNV6D14^&SoTD_~ym|JBKs_o?gFixoOfo(&83d%7yQi?sUqjG{3|Shd z!Fiv~dBDQ6YzZ6!cc<-pyG?3d`wt&8+`v=wrxzoHPlYhxw@oH^ZQs}P?&Cesmyglq zw~NBVVUNbx_cQyA0}1=4mo`6xeZ+^a*}~N!q#`4^MGBql!$;{I*z$Jf+lSx0yK|hV zEKEy*r@vC${UCGUwHWpmPT;)J1u43on~yjLWYI$Bwy<@7yJNsm;8fB=RQI-FKpJ#S zjwAg-C*!LwZ;Vcl;XQ)@3RbG8%De}IAM!F7T$uc|R|}}M5MGGuMHqJS6iiQ6o1UFL z|8eB?TmMs0`5DD>`zYpUVU{B4cWA@AzpmwqLM8s5vMLNY zm2X#!(yFv{V5uEHv{NuC$e)YRU1VCTaD2{LA10mU!haIGsH5!iwJfgdf0PWUaJ=}u zyd{NwwBenKS=Yp37Wh2>f#u_`1~asS312DHlm*6yZ! z`NqM+e6Pt$6h+uNh;W}L@lZl$Y663?WEd~C9+lg}_i%jh2a7idVTIs}Ae!mSZI~)< zg2|E3lvF}l?0jem-oGU89yeeykPrF3I`C!f`wl1&{CfV+RjKgw{<{MPv0NYUCbzX9 zcznb9be2*fSX59s{VpgG=mQ@hF{49)4}vSeN$TUfB4DNMf0ggm}^L;s@R^!$2<`(n#J=m9=8x!(EaGrjGD+tS5ULpM30r=86>m1|?OC5z@U zT-qz?>Z8O0M>c5PWYSkdo>tyYB!I^tIII|K z6T$m-T`dB^Fq3HE<17z0fq9m%KMT4q0N*f}6f!8?j}$xiB?p(3Y&pO9EquZHHrtVo z1w3|YgjX9sCt>t5$8P}+MOCrsk5<7R_Ep7jn4>RwZ<|%`6NE`!fY%FkJb#R0$=#iD zLsPZ#Y(bmdg)|Z?UI7(ALZLXir;`Cm$ZGnj59VrN{4m`ja`et;Mb3L=60c|bm%hcJTCgh{nY)3f|ISpvggmz zLgwdYjdJnG0_x|+y`;jKl6rjEo)BS!|C?abBcqlz`E4)IKO;8L(sW5A=$V6y#Q zY#3IJ`%^6sBg`Sg5=(TPNzxAR-M5fXe7vH}44u4P2uY*-;)bGP-`}&#KpG`W$4uGv zZ3K3I*T6}98Cy1}jrtVR(&r#9XEkicbaqpF9w~UzlQKOowkgPX;m%Rx8F9v1z7-^2 zGVACLzJ@H6YRJ^my1Se%hwTEhAz;xV@_*R6hwxCkXkFB?ZQHi9k`>#wZ96NrZQHhO z+qUhKf1l^>=QM7sI@PI0&6+jdF}{i5`(o|j?;71un|;=koG9flnlMX0KyH|e^Y!g8 zXUZ11lUPN5(!&N&&)V7pvz2tgsd&PJwSkwwn#6CN^gZmrRw#}^&ZcGyRDQh z)6K5m;EM`!2Tx(C0X&_N!b4Ovo%}8SNOxP;Al?278XM#V3P;6g)6MxA#RJF#g^~$t zATlNC39N(~?6v>sJ;kO>#h}Cpy1fWe^WdWtEV20~0^5zKTiCd3AlEe-zC$Ea;k-Ny z9<+jfTwb;9SSqS%bcP?+ZrLm^Ji{|um-gHJVC!kZ9=1N?G0axk-ZU-{OAWmRZ9PjE z?ttn|2T(F9qY)lkAggz$48sf)vRb_sG7Q?|EYSD`1l6Evy)L)235TsVnamhVWYadp z1&1EB?mDtUrk6(-6kyI6g9~&q9(3#5;g0~>v5F0Wka(mBxLWiM0@{%=@GX0%>*0Yl z2SE5%a^&<&07ZB_a&SUKX+Y#6m4N{AKU7AAVJ+%j<7l+7=K`fnJ$e9BVDWgvLRG1k zF)}2Xd@!@P<$ymbQkN>4;PQy95 z>z*PFzWp*}Ych7Ie>&xcO-OIr`PFZ?D%}7^@q^*|!OkZo$_im5Es&R}FocJH>^T?_ z8p=|R<$`{XPEG1B^}vkDmn%^ZFQ96cPg-D^FiQ_)3Jo4q9Ta*_Y<=7JjWeA@c>?a6ehdtZ7qf@N?imw;LMR#F>;pzm*+F3nT$ZOjmPxN{_A*`? zX-GNVc7(713eun6F6Yq9z_ZuU>Aq?XpGKIwXa;+buxL3}I;y=YT9^R~c&4NPAY*T@N4=ZTGtUu2?erZ9tttgxS{&RXGku0QDqtBSAX=ZU{i?>i zg8nQhQd&6mR@7sh$X@L~_HY(dKPzH$H@7ZDmXL90v3qeNPkZ=svUvhgD--~qJ0!mF z+COpD?#gS@B%44i6wsgv+<*OG!%X}2j)?APjYTDg+uy$r8)3M+f{=%R1r#C}%iG#u zp}bHk^yFiN>eMCi8TrO|S6iIG+$6U+uN$!kDggtL*d}?zMO0M&K?dKlC5PEifNV*f zuZc{SQLkJ|#kNV09Zd@-amPyAC}X_67R5}N6K4nql71~BEDkmJKixI0whd-L(h(Bb zMc%qcs;e0>X_8f1)}tj)9>Q7`lFalDkhCEntxq2o3|aY^d-(Z6GsFg0>ojVXQ+e9= zy3Gp3CCA^gD$<+CPBtV)@*+^enulK}ZjBEC>9N8Y4#*FP#Hb}&oeqal^h7;j+h)PV zu7ekA#uH3FmJnh>jSSRf0+7F~AhW&2cv;}TEp}6CmgoiuE!e)0JjEIl`b$o4r_5Ku zShC%fZ(UoPZq$D$xBs4hoSjDN`5nK-e1{mSW#2R0{F68uh~R6d5_!u1K11%aDPcsH6WCJMS6`7TWtCw^H#0@>zJxnQf?!}1SEv` zu!^}3-6G4!OIa*}DVDY0(6~Kdtj_Hcni4c2i#^RR!$~+1Rh(*A;kr2iyS{OghfnU+ znj3t}?tY8^a(waUqC(X52%M~SS_@j{d+%_5VB-WHfVu&$eFKk8bUkfdI+j@jrEX8Q zkJs}72Y=4d6idmio8=_TOY!IC=bNvTU%OTRc?e1%RYdaN@bb+dx06ehsSC}?S#0P% zWtPNfVJYjJxnC|WHDuvr4kXfd;?f8im`P_fbU zBU#(=G6_Inm{uS`E)y|v5-f#Y&l{T2i*yJ*GIOPT!!kLiS(y!OFo{jB;Q3OlbDr2z zIs4+|Vd_MG0RFCGjhFAj<0|Ev+^$zzAw|kD9Cy?1Cw;0LGc&5Nw7Gcdmj@ieDT_U> z7{fGKxCB}obSg@w?X!hbt^}=1NlETx^Oc-@+LaqM)WmovOp|IoL{tRw#N5#k+2ELD zZmJDU9q7E+dHdg_QPwJ_KxsyOmqO}FSjGhr)6~I_CAV2BuEB6A%J%lb^xDW}^jt-n zV^#BQI$>NxviUd?VW01Netr;_P51RsUZTxIDfWzVtOT=TZh2o;Bh}fK_L>OUo$<{- zSG78PDv>}tcDuTr-IZLUxl~RF<(pQf8E1**T=R>x%D;`KhUJ&Se^-Ssv%>aMvQpiyDji)! z(>=8GknSd!))K>f^9H-???Fmh*zuv1DVU2UuwVq2E+K4!D%$Uve;(jJ&OA!xS$qFW zY&@zpA~WyZzBXuEgi}OaEozQ?ChE@BqkrlsLV7E57j;1fE5787m0e+N2s%ObFw1?F zRe}O=x`gY%3vl4+^is$CL4?}>S*g+K`4jj9{0TqUJHe+;-;ph*{zg9XV|)_B(KzEx zyJ7kzCaL&26X5k-GVptI`s)lgC52j^O**dS^V#_p_4tGnV=D95Mb@0QY8C9{d`r9Lj*9S9HvXb^9|n z;q`fQQUe#QgZbGL(SNj$5<7ro8l7*dzu9}rUx)w~Q`Msg1;{xQ(4{7nx{K&*3W={^ zNRV77EAjeISf;m^OB1F(oMCU@%St<|hm)`E&rJ`vyQj{=KXobT_kyRoCuD|hR%P|^ zFo9}trcMc4H)-$+l0MLgoeU-6XitQx)Wu4pP$_3NSa)~tAx`l%y4tm;qcO@2thf_! z=#>bOk!AgRN%=ZRU15hCt8r|uW`q18m6E1ALI`(1mZr@pst#q^lXB+{t~UMj7O9V7 zV|uVCGAF0CNgDRj4C+H<*(9g8%wrdhsjp$5ksy`I1m)A0k-fqh!|kUazCl;|lOpG~ z=Zct(ckQo$F|zOK>)`Ae*R>VJ${25(KNj;5~mxaT=ZDrpT&2xWrad7dDPk&Ot zXL7LLebI+ze@YXpZEBf4ekw|CdZ;|UFN$_PzF2flU4_#{!eqP|fEu4u@e+Ypg|w4>ec1DDYWwV}OQoqD!{x6ol%;h2U zdfZRu&pViplm$(vv6<)Ef{d&!7{`~kivvfTSo!|@LXl}m8Xm}5q~E$;z>tpY>rF*} z@KY5_F*1PzidA<0hrPYx4;JV*Y1Sk^55VyjfHh+&%)i37{Kxdn&s0ABVA4G35)Xt^ zdL0E6C$^r`mLHGjo>7&jjvJ3tyQXXJ2k!Pcp-=VWkgj4l2~m@4==qYc1_)f9FL6I6 zy{sxYYg@(!<8>yWRj!tX4UmoN94#F$H+$`S#1L^9BW85qG-44#kwY-1VTN|`QXYCe zbKJ2anth-A&)Ju%4@>}e{gE^w-BdXi8x|{&+Sjn_;Uve8v3BDy+y{EPL57qgr8E$Z z2?{oMVc(mSd7DvRx1jV)j(%=#-nardESYp@pmVvv;D1D(;NEGn^w4((0VBGd(XKdtWkQP6lhcQmM@f{emAZInjse zr`pA^?h~mFhEythFyJnP@cZNQy$dJx2Q%0TXc)!?%{u`6vnLGtkv+*Um(-)0xwTnp z5n1y2n9Z7Hm@T#<-WL!nw?T>+(aAW|?Y__WT#laftpFvsx_ zpfNA=KJ!Ot#yL>OcPL_LeDm8Y4X;%hW$xCZx<;Yu>{_qxCX@9TyR_Q)|6^kq$NbCp$KlF=A0 zw}f13A4?=R=b;7*WK)!nVYXtq=lxOqpo|W>|^PlFgFQt9zl#Cg`8SD zi!p`|@zzPiO8B|Td$Beefy4a~!;XqhRho8NH0aAouqmHGpobokazsqGqF4$gLqSw^ zZj(GIe{+fiF%G}cR*E8BE9kTs_Rvd4hqv#|7w?0ONh>PWY0<`l(I|5h)Y{LQGb`vK zG!|VS^LdKHB6*)BE$sqFM(GBPm?p2$3X#ZLn#FCn|Ro>drQ zx-wfSCKk==G5>Mw0h67K+r5*gj*>^(9#0FGcidC_)d*0=!LqUu(wF0{@jU^5>BhOk z7Ig(vrSAv2Zhu)?R#!tACfm_$1QR^2aWJ`KNpBjqF zYFl1w5+cb@!wnukbU0aM5p2S$w5TmNCQZzHmwz;`-uS!j(Qrl%(_!Eo#;szO$LdO} z(ln*rjby<-|6`EaCYa0$`kjzwGubj5WV5H51@DyCfyvinSF{kZlhG zGnVp<->rB$A(JsN=;sECxH8AahOP!#v{@?FJ-)VK5{j@`EVg*gtBwKNQ{Q;?U@F5h z5&Dhh+j1eR9k#y>7hki$c@u;osb+Jv+p6{yxd@;Osem_cTr4Kev|HiNXmDN=P1WM8 zp+0Nq$!KaOO&p-6emhZI`rpb#1*O`dD^0&vFDarGLxfJzq{N*{A|*Lt)+UPJ44DLU zfc2-5p`o&WtXE;w#7XmO%(oHDU6VM#X+ti5cGToqzRvI{tt!29OIL{V$)%yCIte*Q-Qq0Az#&rHEy!FN9?e{)& zu};Dcl)7Y0kkeEcUQ$l8%RDDsT`w&?jj=f~`*CAJbGRWTdnhEKS|g#1&-ApH~LuVjVp6epo6 zK-zmBFb1|7v{jJfLg5z||OlF49zkG7O!kV=mh2F%{cr`_KNGxXN~_LO(5hc?qiK8c_o z)gz94DHr&(@-aWV^_EZ2=TALCr(32tuA+8ov)Kc+jE`!AGCVfQfvJpoU}Q9UtY1Kn$_I?f_$Qa5RAg0_hc>pkxblav!_d%LRM^Q^{OgT~DEhKz?24U%ip~TeN7#9li`BE2>ZEr`XBD$fsorpbAWtLm z8WitTIC?z)9YF^of)HcZXL8M{%(BO}>IQ32OIz#{D5N(6lFR0^O!(;{_}HZ3k5;$x z{LZ67R6`9U>v+-x!3}1yO1cJMkR`E&QEHr4v=ds%)${;F!k{bsBPvRPT)kUve)eKM*31|>c!pN*NH=; z;Q^NjeD+D>;)QL#_!X$JHA9eaK1n*i8#$H%0qZLpIqEB`^fQY0>#53X^!{N_G!8fu z&E(#%1vmHU(gWp=c^d418HZ>EvjV9c6m0T7@&?T5X|a>A-K|Z>cGrRB(B%IFqV@?d z3(ioAfD#C75K92ZoJcR-@@ z(Cq_RxhBSWK?}ya>kqBINfP>MsP*&ihmqW0Bu~w0W5$f}iMo=@rL<@)72RK|yj4F+ znK$l%m6ByQj}2@Ds#6JPafyX_jpQ}anz5I=Sd=d{l3wNL!sT>id-G_vXN7PYc{eWJ zs=DMFaT63kF4pPI8a~t0X9e~zrpXEn)z(J1XQcwp9hRh70;mvrQ|c%IQlru3X&aLL z0QlFndzKVjzA!)(XZGx+>3F$C=o3c{B^&YzU@pZ%v;vdQD!W}n>I#@#lq7~$n=LQ_Gw?OXtr)l^5)e^%I2sW3?3I4mV& zgz8#kzKkr(&Ts~=EP{OVHHvpWLAI6*|8llT6tB_EPF-jkB1O7|?<7ASiCIgNM&LG4 z`<%6@5ag;;l``6dd!5c&m)MKpjW6;s&uUxbod8|%i-lz^`0=mkSp`;#m8p@yxaN8h z3GmtoWPToV(6xeMN(85{gT^^d`ydtYMWn7&rxnpD3NatW@?!K;2dw=<;`AzR8MO;t z_ln|$-j^ssMK@|!pen!#y~<#Pi#Y3*Kum*O6w*knJnK-bd~oDAil9hbY_TCzxTLp} z^<-;qQVGw1A;$}OL~juFzn(aKW+MGK&IEkCmrWTd^1wyyf4?auQf->inX|6@9$s;4 z9XSbP8bT3S=A(Fv=wdxa$$3-{X&X7D)btm%W$hOiN-OtU!QtyJgUs9p@@uId6O@mC z|E{g(h_$Q|0pQ3BpOPc8fU}tujG-RbZn#d7%vDhYzbjG(zcVlD7JI2L<|O&M0GmyO z12%%qV)0u7SPLgu2e~BE;xv}I8Q2oT89lg|l4f^S8O3Ih@-nammk+ICU||o88(6_i zMD%GU9oes8SSZIR)21@1h9J!|*QlT8?ivP1j-VlIkJbs2TiH4rt5w7ss8J7SSX*;~ z3E$l>)vI9bb)Nja>{RSR5np8ehR3~HM1>`_c2VcIfbyA(nvbh9kSQ$^m`HOGPiI_C zb7o5G9T|3V*TACr_$cBtkJivhy*z`o9F1KVjm}gR_2!QTtcNWjFT@hOgc#M$vpg>L zv5H!jSZccdSnWRakiQcCGj(X~^k*RB#kywZW}+81xFVo$Zr3ifvG-QoJVI)=!$W1zCc3b z_Jq(Nh-s80l9QI3j_y}Kpu5I)p);S1kKMEu^K7lJ>jaD@$ITZ$cLC3zK`^XD z$57Wr_e5?I3HCHS=M=T0G%`ix13~LW0*oX!)^xP_7>sS|YThZDAb>z8jAVEc3O58JhdBi8mJ`jC%Z_k)9J>b`GUr;F@#=1CtQVpBz?Xj6GQ!uMLcW} z;()E;xA5Zps`b?Q$77@LCRo`G7$|Raj01(Zdqpq-M<~dn0AGk56;ikP)))QNt8S;m8GB36oQw#3bG5r`WsEOQLJ`@JQ!zHVdb zj<#6QmI7{z5UbT&Wicmzb-gd{KWR-5U!s2M{d~C|*luO%z`j{o)->Eu!~7Mk;`&#n zS?e%7JSssJ!U3yBAUlt@)NW+yr(0#2?Lo{D5~mF-4S&`bzJp}PpWSI-*$z4v5ZF`P zdqa=PbyP__^)qVZkY6gPhsHTl=`R_wxu+_l=u)|)JJ8T0jkDs03j-|w z0$|5;kcw{raU_!HMFpUe&`N`sr;C=ZD3%81Dv&SCf|4^juR|R4SJP=lY)g~&gFK6$ww1^Sze}c~1(#6y z%U*N9B`93KDF@i7n5$yDHX5-zKPK?4%}ss*72xhJy~ZA%Ub0Cc>xES02H~bq-5YPE zRE1ZCX2Hl`M+7A;HXTp9nS9u=s5S)1JX03peTKQQIpLF`sjEqj|71GZVTbnzZFzAD ziNoOSa@c`d3teON_e-W?h0q0M$-Yrr8pYf&cw+KYa2iYxx3-x3eHA}!i9(&Mp5HmM zI#O1eNxs%T9D~^8H*T?Sl5ieu2tnLrxWrOijD{KFzTG*<*Mi2v52>>L)hiOd_LJT( zKfAP8=G%`p4?+ro*jLh0&C5(hy50tCcIXe`)t zms%r+bYhVnL+Y0iDrs0V>76j(kFgG(OT?7^9Sw*omZFP^vqn0)SWYBVE>ug}a~c{y zUq_uHZ4O^5a>G@JsUb4=dN@w+wigW@#i|-xhpi!tfF%A9znn-mpdm@EIun)8go?*< zB+mw=0>5=54$UgAn;+d1T2BTdjjbnA`U%KyW2Cljfs5!H0z=2vva+)mMux5E%DS_{ z6ucywNyZ^O*&rDtJt*fe1J=!Qc$*W!fQbMc0E5A1u#Cc8F(*31cl}n_vKqWRA;kRRRSS?^?7Mtwl*sSgO0pQ5Y z9-$QLs6Rpk@GCL8xaK>QW=B%kSGf!GTvcqz^(bhRYUHsb_PljM>g!1RQ3)X)m-oekR>ms%!eBE z*BXi`$aU|zyFzAc_q`)6)sK%d>J5=dP55Z#HlWNWDv(0xn#lVpmvpX$*K zVU2`#j30iFs&C^lxj&mg^0pnr60=0J7()>@ceEuzj0*Sa8m**=>W>w+=%K6bE4&qY z!=1B7?9GRM3=3|z5`-xht=CMi{mdN~AHW$a;W47u-b9xs%swO8KZ-r!lp44SuQsvd==*;#uj2{^!FG_OMt#jkR3YCib3oDhu)SN;`d65a>aau~# z8)9^a2BVe1WLWXgezPsG?Y?^l3=haai6B~MEea4Bz!fpeP{t8;@Pm6!(h^7^K2-rt z4FnVmo!K^lC1E>aWq${31j*Of_=1MNyaOq!44t0sI8nI;^|_}@OYOb!sK?Ktw40#5 z*R2KgmW&$PMMJ~P3l|%SlUr4CE0eC;kcCw1w}No=jP$zD-(;{u926n3obD%RAswRDK}A_MGq?_v+3xdQ_t)X#xacChrEu)sCkdhz6Q#8XCD-fBmP3c19`aFe%L zGzLgBH1!dT1g2SZnYn4!C@&EWH^hM1oC@Q1Ro{rp$)9O^t4UzXb}1Ju`vw-NwIhS| zonv!}fV^H0yVmU!*x^1l<@>jBLA|=uoD&OGExXId++EXCe}immR0MRoj5^`b{WKWg zs+l}M)SPWY5}=K2HOLP~ z)~S=hZ4o>hLaB9z#c}Hb1p03vR0r9l8U^Yg&~U8dZ2V#I!!{gH2E~v(1$EA{X?TJ0 zLrG2t^>Fa=Jmf@%+d}kU+p&s6`2PO(;m_W9!`4`kSD&A-1{W2AFB&JLk56U@4h!s6d4#ID66N!9X9SaMj z+86NpUNx{XYO&y2U)R_pggEpxs9k;+F-RHUDh_y-)nz13LI_Aid>2tlOV47@C{J?w zNCSx`(3`*>`7+-SxUTOmWS=^zUho0^qH?^=S7^9Ux}(Z2Or z$4(!0;h;Lh?E`?%(YW`K_^(AFl_UO>0lb@GyTPVEduP)Yl zg$b-CZn=`h`cU*kRIXfG9#n@fYf_@wfu|`8v_JPzAaPIqy9TAGmF4-XOsG2rt{WN% z*;^~?KsgkENS_eB@ZQU8E;r+NfW+1-9afuWGe(={)e=K|ORxcnt;qed){NM8B8jaO z{{n>Mzfl)VPxmrF-`_kd#}FTbgma6i$zB2Id}x95s&MOIup8_%vcryiGMqKaLzDTx z@V-$%x=ZR@%w>Fn147|I^j4VfFse=;PKofT$c(?0B|BQ z0v6EjFdAOPK3JXXBu6$We@sn@1$tnf^1ql6Jpc5`nK3x4M%Mt5p=fhGTB$EuQ!#O8 zjjO~V@0AfbHzP$9!|5)Zv!gS_X?ksrlf(DKZA4#{NvrKZsZ4-1cZKZ}v!Jc}KUqRQ z2=Pv=Xs>lOYlRk1S$$`WbY7K%G-)Z5v$qE3y~E_#>5#uwS8sepw|EL}nnz-& zPfj*lH+DD(@|<3B))1XCVc~f4KLRP3C70m4z;wU*6BG?@_{pW0!FrqZ`g(dgv|!ub zo^^H41dQV3eSJk!5#|MMXBUWg_z-;ljN%wS+$MM$8`eALKl?S1_IX*!&ajcqsh}#9 z8_Pj?BVTjaXe8CRlx!f?$gSqjIQOj~)#ys{F{77rMFmj1@ywup=aXINj_U@8pnrCc zLa@ECI8OT_v(%rV^RqES!|FvaoX0rjHVCZzC_lm7hDdGY>eRzxc| z4QqF)T_4p(cA$C%-?t|^uj&dj3M8dSQ-vtHTLkPQUBjrgS5F9KFfa|rBoD8N($iQv zB)qLaY)jQW7xo>LmE>Yg-V1r%N60Ymwd6Y}3_DOs37=HziHL%=mQi%reVw7czHlTu zJ@N;oqr4kuU7NMyE{RLQ&)@sc%{o=nxur3II%z=VS?)fvC;x~FjtNRC#e9DR;O$%l z6MizWpS~mbApF$(248&62j&u|K+`SDZSuqC!gnLFPf3}e&+b&RHW$>!`we48u{;`o;xNz?E*Pux z5T@JVsyCot1e=~3pzI^CMe04W$?8n|9 zna}y4Z>t4S;~*yB&Fie=&O>akaBB`phT{KKVVKxE4Boh4I}mS;L|IpFh8!Mo0%g+D zN`Md7YF(&vWw?9O6i~1R_mjYlq+Z>G#LSs;ohesXIT^vQ$j1h_7d*S6J`YvB zQ=rOV!-b@Q>qQsmPU#Zx##kuNJRz%3ja{7R7p0Jp24htPgK#8Fdkx^1h_r1-$48?G zD<}w^sJd`rO)W|nw~hJnLlWjf8Y(Cv7n4^YlWYG9q|}P0_rAJ&Kxf)9xl3iO*N^26 zg5jS`Ul+umgCq{{Eu@SHbO9xZoqfcyN@DehiQq5j@j+7|ch}Onh!d z*GiuKO~?|nP-p^;Cm*w6MO$2PdDiH58w7s0$Z*!7ITz~W6?Oc*X?6%MWh-S3cSf`9 z*zbp=ySYVxWh8@X=Ut+VWhFBbY8c%1UjgPz z(08GMtwrU^Tt zUfwJ_aROSGMS*dKo;W3uv~)=3mRf9w-Co5jusYkXMEwb1mS!Vr(e*xF9Rok@(408* zd9e=M?z>sXA}xBj-na)n8Qwr~-~9jd-yyhgBm?olz7R>e_qU15!oeXm6Nij^INl>b2$nwnG8P%HVz1ARwK?kbK=_J|?s-O5Z zDlIZPypo=@4jS#3iTvzcZ*7N0>5JAdl!KJiT&VQg#MS(fw_zjb*Op(}r+{iPY!>V? zG&Q69B09ayH_3pl*~9%P>Kb|5t~?kG&(;$#Bm5e{=6`=j34W`+zhI069ExqHsRHwB z#moPpF?Bjcz{b@e{kled1mSvN7nj1AdmI)4BXKZngHGmQWZwCMZYm6_!Wx5w^3`89 zn63&O)R)BiXnNsvT{cn`G{FA#1hF5@vD;Y-R$UtlC}A82<_n4d(6$q%f!nwNUP*E{ zWUstz8fOWXF~<5Kl95xoOGP+QR^^l^L(6ljDWu$|QM{yf`-u3a8sn!YsVsMFwAxxp zNz*HgRx7f8vD7kCt1&r1#tf9w9!Vb5VEHSy6xmi9l$ur9<_=ZW74i)^D9~#o8vaZ1 z)zmmS6z?8+j1w?x0v|hGQPvExin#t>$L6;9&^FF9wKt3Cyo%7NtUQs5$uNrMgO3U| z&Go90f~O<^As~Y)^U@4K)HJ1afmz5oJpf z4Uv3f5{)SDD=EKN62Mc0{~u-b9RFWs9YOdXWlawLUu8w8`cGNgCTOk=y09b6uUR+e ze7lyBXZXG0rnlF-d7b-Zj9J7-6RGv!pA@XJjW(EuKHN+a22}#t2V|GWmO8{7^Igc6`?hjqbrr7-r-p}gg{9l-jH;U>hBfnZ4&+yzywSkH7Cqc-j^BgSF z5!OT$b~@-$W!NdZ4PewU7?!Lo$Dn5%aQRehz>S%ZytL;u0kl|*-6tNaOv~{^$yH4z zkr-jnswYPIOczQ)F#)3hfNY!2&Z8j_Ctb8j1eYFySd8Siwwz#0jY^@H%q6=Om)Y-u z%$yK(_`f1M-P>N=?E-W$>JTjD#0Kn?&S_FprJ61LJ6J z-dMo9UzpRsc8zu2nuJGLv|gL>&V5JkjX|JP39x+WlDtk+sitz?A#KXI->jPDN3jHP zE}6WAN+t7p?JJ97E&R!*9u3FtX%^|kFrrHrri(b{233l8QD=Z6!Nw5<{(d1)T90$N z4X_h#muZ}tuq<8m!fk3(oXSkO9a|~HX>IazTs1la%1#^PbUzdf#whH|8plsC0OZ1k~ zye2X~j0Jmp_YbKFW)0|AYB**_id~Hobns;%`Jnh61mW>kaqP)sR?`I}q3kX@WWU?n z-#s012dx#N6nSP>mUo*#&Pl-KkDU8lBH#epM@1lwYUX^H^wTps2YDQ3YNf$Us_aPR{b)>w2aP_{D66RQ1yk?4@-3xtldA-ylanbGQ}#q5CAE2X@OkT?Xx%^kT<*QM}_%_ju7 z>Nyn%6$hcxs!j8hNy>a>B%NDA3E*QIGaFHmx6Vt7W^rPVpH-2ZjsMr&^(RL8el2NH z@fYk1vtSl$CF=nPxsuu$8{2A@GfE4@K|5A21pTG?fc_X2Y#+LqyoMs_wE^oXB}F9LT* z1k0H(PvwPqw2+IlhJ^#UNh%Ot=zqLElQX@MnV0bn5k=rLx0ZxmW&pzZ2? z;E+5X3Z_Uq0&HP-EMp*L2AiA;_oe%3;wgsWH)!HjwuE`5<*mn;MB0CRNzPmUJO$Pg zy|`qSEUQPr_z9GXPY^I6-54!n5WMw`GjTmoIQV<^Xh~H8< zS7)@*^EkGo)-ruwNfS>oo}bF36)`I%@;gefySQ?cq@M(?w3;$2X>wE9I^?l#!~ye$ z15^?!s!X75ont>KJW9JugBmW&$3^klMJ0fwC%w+5xATvd`3)_7YWsKdfi<0gE9gc` z9XY1u)Yk~a6(DaU$3LHYMs^_f;I$p0!%dSgwMa=nd&<>yhe%04dfjA6KO4JtB)PRJ z810bcNR*OXW0KRrb`o^KMxG@Yyr#(BTT^}fQPO{xD%%bd$po1qB&2)!0J-E{M}zu( zb-M)s8IlBNayAezj@R!*LonYGAQ9G2!Clo9vZ;2ZKm|-2|E3*Z8A#K>rVxBY;NyB{ zZl-L;WP)D3$L`n{kvAF`L9t(bwU<5gjLIm=tBu))L{^>Az-adt`jrbMH9!RZ>JKa< z0rXA+!d&-au8{CmQUnVqQw9sLqFDS2Ito>R2ux}f1=u7OgJo|eU<0ajGiH&F_{5YY zw1#@!AMm%WaI{20Mm{zfLCM?bqN@at9zDR-DkV8t6(}cT;$YO9RGN-|V8Y?NUM~MN zg_>XQ`6hwSm@$bJ_hIS`kMA$^`83=+SY8h{^y*0l&`O?I*A{8PG+UYFqb65H^uAu{ zIVRy^CH(p6#No`l$sN((#(;W?+9V=CXofw%O$%^37iyjG$-lMxPkNTej)KDWYz}49nj2~w1zoR`e4|&d9={7)!oahnY8nn+v}}^V(upAChx9fqB-kFxPQj;4 z76is&lyQPPoyf=z`jecb1`-B|loS$qThb%VE^wgTwJ9XOPCT@D_j&^oahuO;uWwN^ zB?pm*;Oz5qogf@?@s3@xziZ@rlWV<-M>{97n^3zfV`qdltmwM~(it19*|SyVhC5qV zgxN0ff06~*+Wk$r_ea=h3wQA?v1|3asX8JUKV%X>BO^)TG!}~||5wPq@Dx1+Rqd$; zB`Q4;R3HPN=sqJXxhr-F;r+*cxy!q=yz8*~SxF`Lcq>SFa6zFmQ>tLY`f}9-uVU|1 zn=sF~0e12F$}u?uJ4zM@UMH%`%5mX#ct*|jc4z5BI8o@6nD}!&I1R(cOW{xxat8Z* zD~EI20OH1|9%lrRj0px!K4;_kam?R`Lnm0@dtOM{s1OU2!ZKG#Flx<+ztW*3$v-H2amBUw6@Byixj>jKdR{1XS>0SRT`@1L4W5EE45`}y}Ti-Eu~ zPFrpg!HJ^m0VGctWAGFydJ_f#nsZKIiVj&EBSo`ii%;*||jX3NE$LmQ;?&rr>il7sRhv3%A zxG0Q(k2#X>x=py?JT!iCuP9^*#~C473|P!>vp;N368C$bFA3xU==tDY<^?b!TP+li zHkofg#0#!;(cK=z?KT}seJMYhEW4X*j2kF6=C`(UcFqtv-?Zlz+)6>j{(`FI#RS{u z4=s HeSAogQ5R#|SfO-n95+omcr=(YR@e`Mfdda;TVqT_Y-~RvD|0Fs&%HlmYslg9L0?3jKt-v*X9g73`Y`mqjgeU} zPH9HT?vjO){sB>t1&sPM87++Zi4%rL7`0yNWRdM6C``BK$tmt~DZat8O%Q%Gh=#n9 zI4vAv=#%kc_(Gb?C_lc(g0|N|73?DrTsner9mix`m6=)*C?9Woq0z* zhKuKwSJ!()pvL^~;)lACUr;T%za{dP*Hy$8BLrh^+9kom_;;JIs#Q$cTcsYXP9n;}399WmIU) zKwl$5d^~5x_kT3Qe-!vsEnY)s3}i9ai)wFy<*p$hH2E`iUfJ|XiAs2qQg}g!R88`K z10)%fO&(Vg+iN0X3CF~J;xOGU^}7sk;Z#dV5+|)Yxsge$uRmyd=ACk~r?pO2?I~nb z&5^}1p`V?l{Z59|Gao3(v!H{V+r@v%?756`QOiVbhpDE5Q*(|> zA=&@eq6VL^q$l?xITMYj4E-!q2=8sTruyNQSWB!Mej4HI!!%54je~GcrazwmXE~@T z0$>EfPx`WsaVx(ncKhs2o~( zG1HwEQb6{weiE5kf+o4`!GPUCjrA-L+w)mWn`dv>_A)Np%b)e_H{W`0V1mfOg~O`- zixWL5QEh+K0MWnXa^CL$RQ68Ykv43&Z929pwr$(CJGO1xw(XA9u{u`8>e#lE4tL&f ztv$v*-3L`apblzO-OrrY)RmQ)CF#rrh+o<{Da=3NuPkGoh9n7mzZLn@WZR0q7Mc(i zXQzpHc~S>i*^u`xj!No{)21uQgV^OY8}j3(IN(_>5Z+Gr!tX0H_fT1=w>>~=G^8rw8c`1*63HC%G-*@)~$K@ z+3p+aklF|00s_V7ydPViNw&3<-9UDuJ)u9&Zjx_m6;eFpblaLDp)dz?-bvKvf7qyTv`No5)*`gl@o!^<9kd;hLi zo(th{kvvN41bSZd6}_S#vyL8s`!YA*CfRVb=TbQ!|C^5Uf%$*wIO1EcAu>un9Gw%ceN!F3;Bm)n8%3Ex!)e>z_7MKK-EeEU zOtGCFzMT1hgGvEgM3-_OAit!Y^3gyCJb{dBL&S@>g=#|&i&{y^&7{cC6kL6H3_3QJ zNVQiRJ4hp1(&M6e{5EoGo-85QoTw^a?q-up9(#yW8ypUD}FYt41nvL@F|dPqMcep>zqp zD^Legm4H&@9wgOQd@Ecw$@;M6N9z?p@SN1tMU7q%Nsg5(HZw|Xt|C` zC)sP&&40D5bPmqEX<9~DyY7^{!MCJ!?&RhlWUN2D7kiR;;E^{QF_U4?KElAGms^~a z9$4lvMUEz^Hvw=9q^O~ofB=UdrU`hw8_GhegLrCagLoC+FRY{gKIJ2!4jPG# z=sb_AjNt3L#+QhA|HJ6;6=6Ijqa*lQ7)j3gAul6ltoA(jx{R+|>O>Jx z&=W=pYQ9Bg-Es7VJfV>4Ej*qkmfI9uD`gWfu*nB-!F5M5RVTR+7dLS6=d<~h%+t=c zwj1F}%;!&SntU@W*1jg0HOCEmi?LWEkwz0oc0)|g%*L7F6zegc>X0m5Wy1tKQ*d?H zzli21C39PWhWFO*az-34j83y@sgX^{9DAYeyAP{mOcNi?N!?@QfHEowV*||tL@x^s zX{?ZM6!ZmpHft%kK6+fkU3^Za9z?OL=%@-NumWYQh`$cA(yWr9s!kl^p2AfHNd~F< zMXm+0h^StL8d%9{Fm%plA&Tm6@&n1~8)A1TP)2!XsQ`rVtuwFZhqQV=wp#&Hc7E<@6n&V zVbhS+^rInY7XR#!l`G)x5-%);!R1wo6prL3k#eBa$GG(|V})>^QON-(m1z~zuGZV9 zk%;vEpl+9&(-aML#mZ$La6+5MLxqo{+pn#drA?t*3~?j~eUUQjqF4g|n88F3uc&^YzvdL^ z8ZM-c7M^nkhbim8?UD8vmZ7G%9vjbjuA)7K0kBlUR;D#qoHQ$jKe8XT5=dl!LX)S20a1cs54nUQylbR?|An4*N+@k zl7E(2r85mr8Ypb_Hd6F^N_V75d14YBL&xmfUxPrs(XQ+8EPwy#vLxJnWNSWlc|G&h zFLVHbCuDyMQCxO>3`BbDX5ZjmfwDL(oI`h=_C>3;?9c=!?qr6sjrZqwyrx9kM13jf z`1om9GZM*wE-?fW4Ng1EoM%vA-XzU#@Gpl9F3s-WbkBzOwsr?fpP^IN)%A7Ry0}$C zxTC=87?Sh1{>vG9$~H)zh|T}Q>;#pZ1kLbDfXd=oBECkDl^gOm|H-J>Wz(CY-qIa7#gEG$v8y? z0+P32ejtrsT|^2?h>GB%t|iWfhibH85;YVdR0tr)jrQ!RstBt;;PsRqT&&JHzQB*r<<*pfxCRgxJ* z%Pzj*=*OI>kWq(ip9DH=vK{niM&+ttM13V{?In7!h2jRvlvYsB4|22wDb|}p5Y_%B zvoh~2gmJ_s*c+wlq8KFv?So2YgIqIu37slMLNonJ==0#wF+y$9vq}0}oL1zk$>c*2FSzRQ&uTiqPM_LE`e4nk1&oAoyQ9x?IQiEPU<-Gs|iqvO0Wvm%z~C@EE26|-ttSO>vk&5cS`bgF`W zScw&%u3w2YAv=4n(Fe6byTcms)t%ha=@g`%^qLK!wxTAjr=_O?2HLc4SA5(OW+If= z)$fA>u&<2e{#&amizy+v&*j2f#)3dDeX2;DRW(3X-no&|bUx%Ut8FJthZiESpE|wH z6ctwZsEL7FZnIXw{elC9NyBLUuM*6154G8vC7Gr%QH5ySr>W#`d%IQllqM8mY8|^$ zG$A=)v2SBLtaj*~dKs41vstwirnz9FF{p+vEsn9?Z>tz z*y`=8Hxz#idy;_SK=ia*ehjLEPvZ$2n1OyLteO&K_WTm08VD&_ znqzbm+7I}qDm_IQAQitQ6>UqRgDmvwD#^&XTy|LQHgZJaRqHIegQKYy@^L*~si^=!3pJ!Fptn^&x@CPk)e5`t{JlC$=4r0j@#obb(pN`Lra zQ0spja`p6jpiu`F)5feRu9rPMuq939vxR#V&PRVlx8a2gRkHu`$##b4-(xmG4PY3J z4`M&t2=M-~cTk&qC?vlLT)&L2M;=#YoYvkI%)R2i23?Z2%#8i~tK6JBsIeoXvH>JasBOE7>AWX{T8v~@46<9A6xn%NBJEvYr(*P%4@OrY-2o&5rT6l^1vudeu#{CXgtr|M*?wl>N49)lgTrgCGs2qQ@m73mAIKFE) zyLKjc(~PezK%A}|P<1?{GejkM$HhzJ$SKUlH!!hB<4*ZGS!Gu=n9|h{4NFYZuez;m z;WvH>n;;Lzr8i}1iYHn)$1`bZ7Q3CU&oW1atPN+mPp=PHBbVfs;xCu>Z2oX7r}n3& zD~DL~EH%bzZJriq*5nYm#8+j+k2Y(-syd`C)7DM|fKF2O)#7S; zAPV11XCS=$qzI>ugK{sslkxf^2^>TMx$+Yv>w_Ty)NXJCnB5P!us8q~=-o>8LDGoI zBN~G(%R05KKpzt$Ed^6cR%yZ#9(VIP$zR+B(=|DA9~*k6OT2_Id-*}bj=(R_GXwB^ zUI}&V5rghFY0Qx)G+b3gg(QaXu3+9zw8VG!R_VVR+^dUqaqwv9K)b%(f@@j&Ou>UV zcvQ&?!7uMYwA9Me^fjSBTkzWkxp`NUnL7+lNHa83sm@E0^B9BOm{tJUk!hkq%9H~IpMa^IXtzgca`X_Y+V5}t)ax9gN7HrH9@bwNa6xPf z_``WJmS1~TCt0{-H19GH0mcNvp2w>FcY7%W#u=j5ppjuerR&Z&K6d~?Wr|W=B(=%y zwWslo(D(!l7^=w_M|@n;t$0qQ3z?9r4D@WTxN|Jt*}lj30|+qMKc@c2=3W>v{cCkPoqo=fkPMxBTVN@0Qi z*&jt`>>)6~+p1+lStaEQn)Hik1-A*89yaC2Sq`4AhAc{!$4QOif;ee>5SxCDSb!Qx-F=)#kIN zD}dJbL(Qjuzg(aSx`sx}g8!}9as!0M;G83lZX~wH?uMO#VIA-jy~gowv)u~cN{cD- zz|FP{BeSlQIRgp1(0)`a(nx9?^|wMus!O5L7Bl%?OhC>{OStUU5>X8bN{POcU;E85s= zEPz|9k>H?^N$W zTS~K@g2Sa1HdXA({BmW2* zra6|X`j;VHHlNihDUnw&M>nLDuV@8amdf#D8VM>jH1zctZ;)m2HEOd)f4o%^}K970&ibM6Q-$@AzAh;6*!o#)QpjZ zfyrc3O$xh?VBm5p4Wn;a(B#s(6VxS)D@g_=)xyWT5^3vr?DUu+M&#!fNQ~OX&DCSy z+2m&`77fOZYW}qE;FtYLoO`iiiAPw*52>y7-2+gi3c?P@ zlJ}87-A;%7|6>pk{2IJ*zR~J4Urp)ti*dd8I~j?GenvIJGsBU5(0t*w-;3a6c0Pvl zRB*%{XlW2AwK#z258k&4t*Ard90{+6?aRBt(O&47`dkHHw3Iza#f7gGy8+L3XpJoL z2nY}?Y?t`Y9e}j&BRP&c^=Hs($R(CI+($bFtltN}CHNv4xe@-X`$!4{QR}2AAqvE= z&S0PtRoq;^RSv^O9QH4w}uy%vQZf-7S9&VW!ri!7$60na`P3__o&{}?k%UZf{Q$% z#Xnlt-ogTxXF0bHmt5ic-6|40RZ5U2)!y3bEWnKrrny^=8f68?CE?h&!Ye0pDIiw8>XKgR&*Cs~RH zA~3X!y^=(QcKF55!_+zx^DrDycR%-Y#TMW!pqXSF%c&B?ET73T$#*Qs6)w?CN3w-? zdj0rC6Zoz}d=O3{6S5@yA_?D9gbCJz@W3&MUC zpF(}(WD~AF9A9EMABn*#`$B-@`fEBs=^UvyX5^DpC-y_~a_K|~u{jC?S~b>7wir!$ zYb?omL_3(#u0RW6wg@$ik?oR($AoSKP0a2Icij_9GBt-Q|z;TzIhQ!<3RklQ9%XI90hppi0=Pi1VPL)9IZ~Y>BjfisK(49voN<5|Q@59lA zndM$`q0YYpHy6$GE>0_M&X#9>uTYU8`gZn~8{Rn=tF<&yRbZGU4{OUGg#`7Al``Cv zCu~dVaMx~!RIt29Rpbh(aw}+&98ySQm0`n5$+L|H4m}hd;H-`KoiJ}VkIDMIJFU9u zqLCFFA=gl4dq`%{TOvrTKx8z8*&n~*67NO9*Vpx7@03$-(*TXdX6hgK zWlH8cB;XV19@Yz{$ukhz?IkIm6w>o5#AC|sctGU(d+)o8vBiAZJYa>$1xp zt;brHIeH5*-4LzEAfnjAB0CtKVy&*zkkY(_(n`iAUth0Xnok^ZqDoLI{!*Ys1h{bhN#QloS;~V;XM6qh#kd#n)4Ki}hf0RC%~^Nu?ls z$p}(ElSP&>a)WT+_cLnbo4hA@zvz6k9`9+O%o=qtQjo2w8K z`XHey>?OXb)}UxGGb0`BTbO)~%h+M}j)lu)IGV@z;@uLmz>r{3yo4Ge)cq#=YQ&UU z=!lAW80Fj&n}~}=8YAbyU?yiUw@@qaUF+?&x}R3$^}#=mp1x^ez0D#x8)wa}7#@e@ zBl$iN+&R}KD~}eW;$4!Z?Gu0e1pReZ2{x^Cd#$KOG>G7?at!Pd4lER9HlthRroe6% zPu+#0`2RT*ZC5MRN1ik-QcApQWlz2MscP-36E(v`C zUMFOyefV)ku!0?5ZcPr>V=OU-2n7*4wr3^Z*)-Q(90CcKM!5p-&Q74ed|qA;gWe73 z7!3piK7I|BWYota8gzU6J-jPI%_QjK5qysGtZX$cfU;HnuakP^dE}{J)>D3MU>QWJ zkLrV&V3E${GL#i;NSfp5O&HOqKFivO$?)9AKQikum-q(U>JaGeWwqFauz_cg5}eLk zk%(9AW||@3c7CBbF-)ZR7+En4hTw0lo8HbX&@Fi0&gEY`3l2_k@ zyC=pi_TPGJUQv3{)cGEM_%FghroO8(2{mWSmA`7FJMUJ`gR8Hv@yCdP8q?C~@f?_< z+KNs^hSD__GVo2z$@yz_aBUaphWej#UTuVp;}cxKNR2ne{Tda*+>yVs)y`Eom&Z*1 zH=pXv`Rn4TIk#k)e(i+9YK!6$H?0SnZH)zy3e=2ahW${Cc1MUHv1}(6V$xD`ME;Ss zr}<6ePePGqFE5|x=Uw5${ZPVdyWKW5f1t4QHq@N8?iz74=J#r;2Bn@X z*4}eCfyb_l`+02_)0GirLeURDkN3;|w!`X7?pDm1PpRs|5Quh{Vvh3PPLURReGUHz zfnJIr8K1=OCQI|8n;nz$_ zB-n?S3FrSK`DQ})i_9DIMYE$0 zww$sb=%}>8xRU6^WYDLz)p@9lhV?H1LI^=~lvU!_K~*j2_w9d+WQVrrO}f{W>)rZ0 zx@xxcvynY4Z916B|9I$G*z+e}In}pUTe*kQS_+z5mrs0N)$aZD#!Ihq;DvpeLHtJ6 zc3hu#0DKNhyPbd(kVs_&X^bdDPCNaA{Y1K67*&(XY4W%8jHURz-Z>!}{o)r4J`4X^ z7miA|k1a;wG5{rMGWAb(c8=Pn>)jJry7loi1SG zHiercNAZ__Bzzo2mTFV*_Ue-ToK>cuX!@Nk>m_gv0RuISoSjx~_}{geM$_~dRB0cS zaRlVUPnn-z?l*5loV?f-`vYadtZ=kiXuzc8E3G7|jm=UQQH%0;WuPehPBQ8D;)aQE zs0uef*&M=*YA5kuVRClz7Jp)GhX!>sU@|9Vh%3-y>(jIu@-H#rxzwn0Q==3MO-c+x zsqt!1l!_vWMq4Yh?kfdox z8hc?AJQM}5R5gO9y>*r*4g9slbs%D0ptqHQ&p)jnt_ zCN`!(dsNalr1z*Chw5O(2L^=0hI`yz)1>YP;Aml-=XfoU*8 ztAyIKFC>FM(}Q2flJ)vnFMnc41_S(0Fa%v;&^3KXdXRmO3(lE@Pm~^RbR*~lx5p15 z+K7t9o=GsdjsVAx+jnOS<;xV%`4M%i(bTz$FWoHqT|V(zOx?rX+A8vaY%zruP~uwJ?0 zIr&dxjM}>%qH?nDfw26JA8hs40lc(c>dp#6}7;Sh5!ddeYv33m%5oZ`*YKfKBub&p`=L6P!+I}z{diqFT{F!v3{&U_DP$~MVZhc78AJ5bD z$PKf5ho!-ucBsb($)3;e?lA&9D2c~=AK$LxJ@?)Sbi2CJ&2AzB&Sz~)^AV4;3KQGGu9Ov=$cRp@*+FI152VjR{= zIVo-O-o)tYT+k&XiH+W+$sw-%qH=Ow4wTF96}ann9#i6_Mz@LZE-6V>>&d*dzkbnN zD;X5k;&yBUQLZhIqp^ynVl`*J{@MV4K?7_fS3kbMR8!m#WN0EW5n9Eq^XjIAB`P6uu6e~oyo^k z$NpkYM#hLVv$-4YcYW#Nd4PU57ng6)Yr+2=D}P()->t^{U;U2(775>-#xtykQsa+< z-f!p&KDkQyITfWcmJ&zftCddUsXAs^;AUG=py>ayG2)0Z6}b3F5vz$fDTZ>r;wBbB zG9yIY_n>A2j${^j0mk2<>A2{;?hS zZqS;2r+-in)k>1>wp~=yP$PidDudW9nVrVJDQ|m1*?S8j5$A?ho9q6QKIPd;^r4p# zUj^-LBrC1(yQDz<@Bf-;TfK)J9-7Ppd9KBgY?C0pkc&&?7i4AO9yNrUFTW0!ZcTGQ@j)Q~$(WeB@I+)q#+yUh*LMJabK_Uq-m7uiHflFMhhSnK$`)GH7t7pHoH zHuCzyMTDZ-ZMtNTQaOy3U)ISNy{qRt5j?LOD9TMhvoyLVFM!zYU5Jlllx zylwkA5y@``28yR#r$Xr^DQ|N;bQmSv&vec=(aK1<`Ic${AR9b77-wXxO`wK++>xQ@ z|B2EhwF^f%^wNj1q0n4iC>3UT&+WYDGkRMF55d&FFNyVM9jS(U0;Hf1zsZmGW#fl z(L#J`aIpPM_s5_tZ-Rl&{hs_%uKc~ zNv8eCyfcIgH9do)>ucx3b`~6r!5!E=cxKEKlHuB6H~tB(gz`4(qhDPdAj8&}JGd_F z8N}&@joLYN#XZaao-XNC2pYhUs_7i_h6hCe?dQ~MDb3e{ZUOG47QqNV_PJTZE_D5|g z__L5Zbi3+{lI*X_=<2pY5%q$OP z5vt{_ec^CIK4$p2hD6#D{89@$bI6C`jxJs)NPKF=Z1zP_en?q^ov02JxMgdZ9oN6$bcZcWrSnXzmd%v$4o z&9r5vj)_1_J|unbWE!ChoFirA^2n7<&&HvDQ~wHFEEM=oVvZd)!Eao^wr~=I7=>1f zbS*AJQo7~FXk(K!@k+$jJ0}<1#-@+tLWcvbILdsC8O&N$nao#>N_ymCr9-_zaSyUU zyQ#(bTws;Fhw3^`Ev6p463XZ^lKF_Ux&c-4yFIvbl4gl98sKBW{O+k3#Pn14p3sFm_l=LX zH`m)_e`cS#lX$u2s$Bj`+Pwe5lmsIQ=;|ZVEIt5Ehn`E2XLTIn3X|p+cw@| zDq-gFuWt?QHHpU?%^&rrebDv1nJ9fAF-iNqLR-jzDrcC8_yxMXESMOWrT1Zeo~C#I zvL{J>p=LIiFkO1~OjXl*xb{%(!(gJB^tM@CLmxh&UI3~{O}c4RF%15U@o>Kw>QK8u znbCsTPR)(mK&T;o(3!UY^kP2zVzm^-aC+afHnVe*re?1y!LV8tla|A=;HynC5Wx9a z_(WOr?;f$SC-lfRz)_DZVFmQB9tc2OdaArBdjJ`K!e)Yu!_Jh$OeIIdIfrFDuJyv4 zcOF;T-$YBCZ>A58GiD-%XQk10%v2l*v8kVakSd$%bTT(TY;gj|TsDOO6NC+s$)4Y6 zhVkk%lEoxvFkT@zsuLjk76%0n1y;j}++|8O##>q)pFW$#Nwy9(kUxmXY{&$IcjP`I zxtC{Z9#jDf(kIXmOkFjG>xj}sRkG5=$(zNZhZX;`8lk@wZmb^jno$_ET~{p&p(X{I zi8A|_1bChK(*$*FV8>#Z5$<)AqDO%=;>kf%4qS#^M<0VI^VtIQ+wNcdCE1Fyoz1xA zRdRL*?O-FLsXD$k2^Z-Lg)ueD7)7A32CDE6#XJJaUy3QRYkw7-qgL4>RN6$h>V|F- z%kM&@^cknb3awU3Tv6YALmF9F-Ip>ol4TZd``t9njTYZBZX~)=F$< zBK5lG2duxvrvFKi^_A>g_9cb@?(vq$a0i1ab#$=QZJ@t_f0sPhm$ z(_M?ET=r@2w;4qwPf$%V(YTX;eR`}8(K7cEgm}Ifc7n_yz*TjC&SXn+*!%j}{(?d$ zhvU?x+%)aCKxGUTt-lqug-XgI99&7`h%YT3}^t(WV!5Pt; z$d&XjvCcjamWLjYsf2mYm#m z3tUr}8MfLKTS#*+E4$p=EPbtePpxv*?>3S+S6^tAxlcQlSoSNURGyF_%ld=${g76a zoo(hIrgkon-PJ|fS1F4i)_=;Hl*Y}-HZfPAhJ>jx`pq+I-E&!w&kf+3)q84ilZ6V54jXI4a{%D$Wr= z?fRS87hyN&GnL%eg>3X!6k(6W&J!TN1FZ Date: Thu, 21 Mar 2024 10:21:54 +0100 Subject: [PATCH 16/64] Upgrade vault to 1.15.6 --- hashicorp-vault/values.yaml | 2 +- tests/hashicorp-vault-industrial-edge-factory.expected.yaml | 4 ++-- tests/hashicorp-vault-industrial-edge-hub.expected.yaml | 4 ++-- tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml | 4 ++-- tests/hashicorp-vault-naked.expected.yaml | 4 ++-- tests/hashicorp-vault-normal.expected.yaml | 4 ++-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/hashicorp-vault/values.yaml b/hashicorp-vault/values.yaml index aca2fdb..cb1b769 100644 --- a/hashicorp-vault/values.yaml +++ b/hashicorp-vault/values.yaml @@ -48,4 +48,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.5-ubi" + tag: "1.15.6-ubi" diff --git a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 76454ee..0f2218b 100644 --- a/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 76454ee..0f2218b 100644 --- a/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 76454ee..0f2218b 100644 --- a/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-naked.expected.yaml b/tests/hashicorp-vault-naked.expected.yaml index fc05bc4..68b5a89 100644 --- a/tests/hashicorp-vault-naked.expected.yaml +++ b/tests/hashicorp-vault-naked.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/hashicorp-vault-normal.expected.yaml b/tests/hashicorp-vault-normal.expected.yaml index 76454ee..0f2218b 100644 --- a/tests/hashicorp-vault-normal.expected.yaml +++ b/tests/hashicorp-vault-normal.expected.yaml @@ -204,7 +204,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.5-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.15.6-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR From 399370f0d222157ca5ea00819a556af8de218afe Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Mar 2024 16:07:58 +0100 Subject: [PATCH 17/64] Bind mount /etc/pki in the wrapper This is useful whenever a custom CA is installed on the system and is needed to connect to a remote cluster. --- scripts/pattern-util.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/pattern-util.sh b/scripts/pattern-util.sh index 9cec19f..ea02b7e 100755 --- a/scripts/pattern-util.sh +++ b/scripts/pattern-util.sh @@ -56,6 +56,7 @@ podman run -it --rm --pull=newer \ --security-opt label=disable \ -e EXTRA_HELM_OPTS \ -e KUBECONFIG \ + -v /etc/pki:/etc/pki:ro \ -v "${HOME}":"${HOME}" \ -v "${HOME}":/pattern-home \ ${PODMAN_ARGS} \ From a88f040f1a0a4880ed90b1adf3ffec8ea57b6d6b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Mar 2024 17:27:09 +0100 Subject: [PATCH 18/64] Properly error out in preview-all when we cannot connect to the cluster Before: $ ./pattern.sh make preview-all make -f common/Makefile preview-all make[1]: Entering directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' error: Missing or incomplete configuration info. Please point to an existing, complete config file: 1. Via the command-line flag --kubeconfig 2. Via the KUBECONFIG environment variable 3. In your home directory as ~/.kube/config To view or setup config directly use the 'config' command. error: Missing or incomplete configuration info. Please point to an existing, complete config file: 1. Via the command-line flag --kubeconfig 2. Via the KUBECONFIG environment variable 3. In your home directory as ~/.kube/config To view or setup config directly use the 'config' command. ...This goes on for many more iterations... After: $ ./pattern.sh make preview-all make -f common/Makefile preview-all make[1]: Entering directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' Could not access the cluster: error: Missing or incomplete configuration info. Please point to an existing, complete config file: 1. Via the command-line flag --kubeconfig 2. Via the KUBECONFIG environment variable 3. In your home directory as ~/.kube/config To view or setup config directly use the 'config' command. make[1]: *** [common/Makefile:59: preview-all] Error 1 make[1]: Leaving directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' make: *** [Makefile:12: preview-all] Error 2 --- scripts/preview-all.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/preview-all.sh b/scripts/preview-all.sh index cc7775b..296e7dc 100755 --- a/scripts/preview-all.sh +++ b/scripts/preview-all.sh @@ -7,6 +7,14 @@ HUB=$( yq ".main.clusterGroupName" values-global.yaml ) MANAGED_CLUSTERS=$( yq ".clusterGroup.managedClusterGroups.[].name" values-$HUB.yaml ) ALL_CLUSTERS=( $HUB $MANAGED_CLUSTERS ) +CLUSTER_INFO_OUT=$(oc cluster-info 2>&1) +CLUSTER_INFO_RET=$? +if [ $CLUSTER_INFO_RET -ne 0 ]; then + echo "Could not access the cluster:" + echo "${CLUSTER_INFO_OUT}" + exit 1 +fi + for cluster in ${ALL_CLUSTERS[@]}; do APPS=$( yq ".clusterGroup.applications.[].name" values-$cluster.yaml ) for app in $APPS; do From ffd421b5117c0867677cc19f75aa67af6b40687e Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Mar 2024 17:44:32 +0100 Subject: [PATCH 19/64] Only include values files if they do exist in preview.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is because in helm we use "ignoreMissingValueFiles: true". I.e. we just ignore non existing value files. Let's do the same for the preview.sh script. Before: ❯ make preview-all make -f common/Makefile preview-all make[1]: Entering directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' Error: open /home/michele/Engineering/cloud-patterns/multicloud-gitops/overrides/values-None.yaml: no such file or directory Error: open /home/michele/Engineering/cloud-patterns/multicloud-gitops/overrides/values-None.yaml: no such file or directory Error: open /home/michele/Engineering/cloud-patterns/multicloud-gitops/overrides/values-None.yaml: no such file or directory Error: open /home/michele/Engineering/cloud-patterns/multicloud-gitops/overrides/values-None.yaml: no such file or directory Error: open /home/michele/Engineering/cloud-patterns/multicloud-gitops/overrides/values-None.yaml: no such file or directory common/scripts/preview.sh: eval: line 79: unexpected EOF while looking for matching `"' common/scripts/preview.sh: eval: line 79: unexpected EOF while looking for matching `"' common/scripts/preview.sh: eval: line 79: unexpected EOF while looking for matching `"' make[1]: *** [common/Makefile:59: preview-all] Error 2 make[1]: Leaving directory '/home/michele/Engineering/cloud-patterns/multicloud-gitops' make: *** [Makefile:12: preview-all] Error 2 After: ❯ make preview-all > /dev/null ; echo $? 0 --- scripts/preview.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index 379f240..2d8079c 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -62,16 +62,16 @@ OVERRIDES=$( getOverrides ) VALUE_FILES="" IFS=$'\n' for line in $sharedValueFiles; do - if [ $line != "null" ]; then - file=$(replaceGlobals $line) - VALUE_FILES="$VALUE_FILES -f $PWD$file" + if [ $line != "null" ] && [ -f $line ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" fi done for line in $appValueFiles; do - if [ $line != "null" ]; then - file=$(replaceGlobals $line) - VALUE_FILES="$VALUE_FILES -f $PWD$file" + if [ $line != "null" ] && [ -f $line ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" fi done From e6241d9b163d147837b2fa409a4ed776a8b695a1 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Mar 2024 18:46:21 +0100 Subject: [PATCH 20/64] Do not error out in preview when kustomize: true When `kustomize: true` simply take the path and call `kustomize build `. In any other case keep using helm for templating. Before: ... + common/scripts/preview.sh hub compliance-operator https://github.com/mbaldessari/multicloud-gitops.git preview-fixes Error: Chart.yaml file is missing After: ... + common/scripts/preview.sh hub compliance-operator https://github.com/mbaldessari/multicloud-gitops.git preview-fixes apiVersion: console.openshift.io/v1 kind: ConsoleNotification metadata: name: purpose-banner spec: backgroundColor: '#ff0000' color: '#fff' location: BannerTop text: HUBOPS --- scripts/preview.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index 2d8079c..762a8ec 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -57,6 +57,7 @@ CLUSTER_OPTS="$CLUSTER_OPTS --set global.clusterPlatform=$platform" sharedValueFiles=$(yq ".clusterGroup.sharedValueFiles" values-$SITE.yaml) appValueFiles=$(yq ".clusterGroup.applications.$APP.extraValueFiles" values-$SITE.yaml) +isKustomize=$(yq ".clusterGroup.applications.$APP.kustomize" values-$SITE.yaml) OVERRIDES=$( getOverrides ) VALUE_FILES="" @@ -75,5 +76,11 @@ for line in $appValueFiles; do fi done -cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" -eval "$cmd" +if [ $isKustomize == "true" ]; then + kustomizePath=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) + cmd="kustomize build ${kustomizePath}" + eval "$cmd" +else + cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" + eval "$cmd" +fi From 8dee997ae865373ed7fcc395868001890281acfc Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Mon, 25 Mar 2024 14:45:47 -0500 Subject: [PATCH 21/64] Also pass EXTRA_PLAYBOOK_OPTS environment setting --- scripts/pattern-util.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/pattern-util.sh b/scripts/pattern-util.sh index ea02b7e..0d1b8fa 100755 --- a/scripts/pattern-util.sh +++ b/scripts/pattern-util.sh @@ -55,6 +55,7 @@ fi podman run -it --rm --pull=newer \ --security-opt label=disable \ -e EXTRA_HELM_OPTS \ + -e EXTRA_PLAYBOOK_OPTS \ -e KUBECONFIG \ -v /etc/pki:/etc/pki:ro \ -v "${HOME}":"${HOME}" \ From dafd44b812ad2ea9fd2ab414198079abdfbb8602 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 26 Mar 2024 09:49:20 +0100 Subject: [PATCH 22/64] Use oc kustomize That is what we have inside the utility container, so let's just rely on that --- scripts/preview.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index 762a8ec..154e7bd 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -78,7 +78,7 @@ done if [ $isKustomize == "true" ]; then kustomizePath=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) - cmd="kustomize build ${kustomizePath}" + cmd="oc kustomize ${kustomizePath}" eval "$cmd" else cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" From a2c3a2e6e75ab5e3c769752b98c0f3a255b52e95 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 26 Mar 2024 10:09:51 +0100 Subject: [PATCH 23/64] Print out application being parsed for easier debugging --- scripts/preview-all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/preview-all.sh b/scripts/preview-all.sh index 296e7dc..9fdcd95 100755 --- a/scripts/preview-all.sh +++ b/scripts/preview-all.sh @@ -18,6 +18,7 @@ fi for cluster in ${ALL_CLUSTERS[@]}; do APPS=$( yq ".clusterGroup.applications.[].name" values-$cluster.yaml ) for app in $APPS; do + printf "# Parsing application $app from cluster $cluster\n" common/scripts/preview.sh $cluster $app $REPO $TARGET_BRANCH done done From c634054d9f19487ad9943a0f6d2328e579756482 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 27 Mar 2024 11:57:28 +0100 Subject: [PATCH 24/64] Add .global.secretStore.backend in the clustergroup schema It is currently not there even though we mention it in the values files. --- clustergroup/values.schema.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clustergroup/values.schema.json b/clustergroup/values.schema.json index e88fc5a..0ab0fc3 100644 --- a/clustergroup/values.schema.json +++ b/clustergroup/values.schema.json @@ -153,6 +153,9 @@ }, "options": { "$ref": "#/definitions/Options" + }, + "secretStore": { + "$ref": "#/definitions/GlobalSecretStore" } }, "required": [ @@ -160,6 +163,18 @@ ], "title": "Global" }, + "GlobalSecretStore": { + "type": "object", + "additionalProperties": false, + "properties": { + "backend": { + "type": "string", + "description": "Name of the secrets backend", + "default": "vault" + } + }, + "title": "GlobalSecretsStore" + }, "GlobalGit": { "type": "object", "additionalProperties": true, From 5280f2ca9f6253245b7215bc2e724a778e96f183 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 Mar 2024 15:24:40 +0100 Subject: [PATCH 25/64] Fix check for secretStore.backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default function in helm is somewhat unintuitive: ❯ cat templates/test.yaml metadata: name: foo {{- if eq .Values.global.secretStore.backend "vault" | default "vault" }} label: vault_is_here {{- else }} labe: not_here {{- end }} ❯ helm template --set global.secretStore.backend=foo . metadata: name: foo label: vault_is_here No matter the value of .Values.global.secretStore.backend, the default branch takes over. So let's change this to something that is correct albeit somewhat less readable Tested as follows: # global.secretStore.backend unset ❯ helm template --set global.secretStore.backend=null common/clustergroup |grep unsealjob.yaml |wc -l 1 # global.secretStore.backend set to 'vault' ❯ helm template --set global.secretStore.backend=vault common/clustergroup |grep unsealjob.yaml |wc -l 1 # global.secretStore.backend set to 'kubernetes' ❯ helm template --set global.secretStore.backend=kubernetes common/clustergroup |grep unsealjob.yaml |wc -l 0 ❯ helm template --set global.secretStore.backend=vault golang-external-secrets |grep -- -backend name: vault-backend ❯ helm template --set global.secretStore.backend=null golang-external-secrets |grep -- -backend name: vault-backend ❯ helm template --set global.secretStore.backend=kubernetes golang-external-secrets |grep -- -backend name: kubernetes-backend --- clustergroup/templates/imperative/unsealjob.yaml | 4 +++- .../kubernetes/golang-external-secrets-hub-secretstore.yaml | 5 ++--- .../vault/golang-external-secrets-hub-secretstore.yaml | 5 ++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/clustergroup/templates/imperative/unsealjob.yaml b/clustergroup/templates/imperative/unsealjob.yaml index 4db14be..b251c5d 100644 --- a/clustergroup/templates/imperative/unsealjob.yaml +++ b/clustergroup/templates/imperative/unsealjob.yaml @@ -1,4 +1,6 @@ -{{- if eq .Values.global.secretStore.backend "vault" | default "vault" }} +{{/* If the backend is not set at all we default to "vault". See https://www.github.com/helm/helm/issues/3308 + why we avoid using the default function */}} +{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} {{- if not (eq .Values.enabled "plumbing") }} {{- if $.Values.clusterGroup.isHubCluster }} --- diff --git a/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml index 62253f1..02128e9 100644 --- a/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml +++ b/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml @@ -1,10 +1,9 @@ -{{- $backend := .Values.global.secretStore.backend | default "vault" }} -{{- if eq $backend "kubernetes" }} +{{- if eq .Values.global.secretStore.backend "kubernetes" }} --- apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: - name: {{ $backend }}-backend + name: kubernetes-backend namespace: golang-external-secrets spec: provider: diff --git a/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml b/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml index 8fdd4ab..59f5508 100644 --- a/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml +++ b/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml @@ -1,10 +1,9 @@ -{{- $backend := .Values.global.secretStore.backend | default "vault" }} -{{- if eq $backend "vault" }} +{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} --- apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: - name: {{ $backend }}-backend + name: vault-backend namespace: golang-external-secrets spec: provider: From 8869f11989320d07700203b6d6d50a31ec064639 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 Mar 2024 18:45:13 +0100 Subject: [PATCH 26/64] Introduce a generic parameter override via the EXTRA_ARGS env variable This way a user can decide to modify the podman command line. For example to inject additional useful extra variables in the container. For example: export EXTRA_ARGS="-e OCP_DOMAIN" ./pattern-util.sh make preview-all.sh --- scripts/pattern-util.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/pattern-util.sh b/scripts/pattern-util.sh index 0d1b8fa..0f865e0 100755 --- a/scripts/pattern-util.sh +++ b/scripts/pattern-util.sh @@ -61,6 +61,7 @@ podman run -it --rm --pull=newer \ -v "${HOME}":"${HOME}" \ -v "${HOME}":/pattern-home \ ${PODMAN_ARGS} \ + ${EXTRA_ARGS} \ -w "$(pwd)" \ "$PATTERN_UTILITY_CONTAINER" \ $@ From ba583f569aa571827c82e498bcca15c98af7a3d3 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 Mar 2024 18:51:11 +0100 Subject: [PATCH 27/64] Allow overriding the oc lookups in preview.sh This allows us to inject values to ease testing. Tested as follows: $ unset OCP_DOMAIN OCP_PLATFORM OCP_VERSION $ export EXTRA_ARGS="-e OCP_DOMAIN -e OCP_PLATFORM -e OCP_VERSION" $ ./pattern.sh make preview-all &> /tmp/1 $ export OCP_DOMAIN=adifferentdomain.foo $ ./pattern.sh make preview-all &> /tmp/2 # Templates have effectively changed the domain $ diff -u /tmp/1 /tmp/2 | wc -l 73 $ unset OCP_DOMAIN # Without the domain change the templates are unchanged $ ./pattern.sh make preview-all &> /tmp/3 $ diff -u /tmp/1 /tmp/3 | wc -l 0 Note: When using pattern.sh you will need to inject the env variables in the container via `export EXTRA_ARGS="-e OCP_PLATFORM -e OCP_VERSION -e OCP_DOMAIN"` --- scripts/preview.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index 154e7bd..347a0cd 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -17,9 +17,13 @@ chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) pattern=$(yq ".global.pattern" values-global.yaml) -platform=$(oc get Infrastructure.config.openshift.io/cluster -o jsonpath='{.spec.platformSpec.type}') -ocpversion=$(oc get clusterversion/version -o jsonpath='{.status.desired.version}' | awk -F. '{print $1"."$2}') -domain=$(oc get Ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}' | sed 's/^apps.//') +# You can override the default lookups by using OCP_{PLATFORM,VERSION,DOMAIN} +# Note that when using the utility container you need to pass in the above variables +# by export EXTRA_ARGS="-e OCP_PLATFORM -e OCP_VERSION -e OCP_DOMAIN" before +# invoking pattern-util.sh +platform=${OCP_PLATFORM:-$(oc get Infrastructure.config.openshift.io/cluster -o jsonpath='{.spec.platformSpec.type}')} +ocpversion=${OCP_VERSION:-$(oc get clusterversion/version -o jsonpath='{.status.desired.version}' | awk -F. '{print $1"."$2}')} +domain=${OCP_DOMAIN:-$(oc get Ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}' | sed 's/^apps.//')} function replaceGlobals() { output=$( echo $1 | sed -e 's/ //g' -e 's/\$//g' -e s@^-@@g -e s@\'@@g ) From 66d426dfb904a3099d747df9629ddaaed1d360a4 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 29 Mar 2024 11:25:05 +0100 Subject: [PATCH 28/64] Always include values-global.yaml and values-.yaml Those are the starting points for setting the values. Without this, for example, the rendering of common/acm on the hub is basically empty because clusterGroup.isHubCluster won't be true. --- scripts/preview.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index 347a0cd..a39b104 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -64,7 +64,7 @@ appValueFiles=$(yq ".clusterGroup.applications.$APP.extraValueFiles" values-$SIT isKustomize=$(yq ".clusterGroup.applications.$APP.kustomize" values-$SITE.yaml) OVERRIDES=$( getOverrides ) -VALUE_FILES="" +VALUE_FILES="-f values-global.yaml -f values-$SITE.yaml" IFS=$'\n' for line in $sharedValueFiles; do if [ $line != "null" ] && [ -f $line ]; then From 4de8385661f99f88dc4757fae72d798de7dace4e Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 29 Mar 2024 11:41:59 +0100 Subject: [PATCH 29/64] Add help and message clarifying that preview has certain limits --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0d5d0a3..c6c7539 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,8 @@ help: ## This help message show: ## show the starting template without installing it helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS) -preview-all: +preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clusters + @echo "NOTE: This is just a tentative approximation of rendering all hub and managed clusters templates" @common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH) preview-%: From d7e913bca9bb6fc5313d20e1d56be64f894ebe97 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 29 Mar 2024 12:07:40 +0100 Subject: [PATCH 30/64] Add clustergroup support to preview target With this the preview all should be a lot more complete and useful. Closes: https://github.com/validatedpatterns/common/issues/452 --- scripts/preview-all.sh | 3 ++- scripts/preview.sh | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/preview-all.sh b/scripts/preview-all.sh index 9fdcd95..4bf5932 100755 --- a/scripts/preview-all.sh +++ b/scripts/preview-all.sh @@ -16,7 +16,8 @@ if [ $CLUSTER_INFO_RET -ne 0 ]; then fi for cluster in ${ALL_CLUSTERS[@]}; do - APPS=$( yq ".clusterGroup.applications.[].name" values-$cluster.yaml ) + # We always add clustergroup as it is the entry point and it gets special cased in preview.sh. + APPS="clustergroup $( yq ".clusterGroup.applications.[].name" values-$cluster.yaml )" for app in $APPS; do printf "# Parsing application $app from cluster $cluster\n" common/scripts/preview.sh $cluster $app $REPO $TARGET_BRANCH diff --git a/scripts/preview.sh b/scripts/preview.sh index a39b104..d5e695e 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -13,8 +13,13 @@ APP=$1; shift GIT_REPO=$1; shift GIT_BRANCH=$1; shift -chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) -namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) +if [ "${APP}" != "clustergroup" ]; then + chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) + namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) +else + chart="common/clustergroup" + namespace="openshift-operators" +fi pattern=$(yq ".global.pattern" values-global.yaml) # You can override the default lookups by using OCP_{PLATFORM,VERSION,DOMAIN} From dd25da002c36c035407c7f70485961fdbe5488c3 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 29 Mar 2024 13:22:02 +0100 Subject: [PATCH 31/64] Fix preview when the application's index name is not the same as the name attribute This covers the following case: foobar: name: foo namespace: foo project: foo path: charts/all/foo The preview.sh script is passed the name attribute of the application `foo`. So now we first find the key which corresponds to the attribute name `foo` and then use that when looking up the other attributes like path, etc. Closes: https://github.com/validatedpatterns/multicloud-gitops/issues/351 --- scripts/preview.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/scripts/preview.sh b/scripts/preview.sh index d5e695e..ac2cd5c 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -9,14 +9,23 @@ # - Make output can be included in the YAML. SITE=$1; shift -APP=$1; shift +APPNAME=$1; shift GIT_REPO=$1; shift GIT_BRANCH=$1; shift -if [ "${APP}" != "clustergroup" ]; then +if [ "${APPNAME}" != "clustergroup" ]; then + # This covers the following case: + # foobar: + # name: foo + # namespace: foo + # project: foo + # path: charts/all/foo + # So we retrieve the actual index ("foobar") given the name attribute of the application + APP=$(yq ".clusterGroup.applications | with_entries(select(.value.name == \"$APPNAME\")) | keys | .[0]" values-$SITE.yaml) chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) else + APP=$APPNAME chart="common/clustergroup" namespace="openshift-operators" fi From 4ec9d3e3f3808ef4a17e66c7827b8a6a6c2f5b08 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 8 Apr 2024 21:21:36 +0200 Subject: [PATCH 32/64] Force strings in extraParametersNested Otherwise if we pass a boolean in the extraParametersNested we will get: spec.source.helm.parameters[10].value: Invalid value: "boolean": spec.source.helm.parameters[10].value in body must be of type string: "boolean" --- clustergroup/templates/plumbing/applications.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clustergroup/templates/plumbing/applications.yaml b/clustergroup/templates/plumbing/applications.yaml index 3706d83..dbfefa8 100644 --- a/clustergroup/templates/plumbing/applications.yaml +++ b/clustergroup/templates/plumbing/applications.yaml @@ -105,7 +105,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} @@ -184,7 +184,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} @@ -251,7 +251,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} From cb77e121b9fbb2c152d21552678253cb1bf1794b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 10 Apr 2024 13:50:28 +0200 Subject: [PATCH 33/64] In ACM policies do not use $ARGOCD_APP_SOURCE_* variables The reason for this is the following: When changing the repo on the hub (by editing the pattern), the expectation is that the repo change will replicate from the hub to the spokes managed by ACM. Today this is very unlikely to happen because changing the repo on the hub will not change the policy and so ACM will not reapply it on the spokes. (I believe there is like a daily repush that happens even when the policy has not changed, but that is way too slow to be relied upon). By using the actual variable the policy will actually change, ACM will notice this and push the change on the spokes. Found while testing disconnected mode. I am not replacing them everywhere because I am not sure yet if there are additional semantics in common/clustergroup that I am unaware of. --- acm/templates/policies/application-policies.yaml | 4 ++-- tests/acm-industrial-edge-hub.expected.yaml | 4 ++-- tests/acm-medical-diagnosis-hub.expected.yaml | 4 ++-- tests/acm-normal.expected.yaml | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml index 01082e5..6854889 100644 --- a/acm/templates/policies/application-policies.yaml +++ b/acm/templates/policies/application-policies.yaml @@ -52,9 +52,9 @@ spec: {{- end }} parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: {{ $.Values.global.repoURL }} - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: {{ $.Values.global.targetRevision }} - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index 0759301..59c7e60 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -225,9 +225,9 @@ spec: - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index 959fbe3..3a65a6b 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -216,9 +216,9 @@ spec: - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index 87071cc..af97f53 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -619,9 +619,9 @@ spec: - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -715,9 +715,9 @@ spec: - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern From 8dbb5ff7809f39d6b80874f762c4bad22cd09730 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 20 Feb 2024 21:20:42 +0100 Subject: [PATCH 34/64] Add support for custom CAs This feature relies on the VP operator version >= 0.0.44 in order to work. The way to enable this is to add a feature flag called 'initcontainers' in the VP operator. Once this is enabled, we will detect this and take over the all ArgoCD instances' definition and add initContainers which will inject the CAs contained in the trusted-bundle-ca configmap and also the openshift internal CA. Testing protocol: 1. (Operator 0.0.44) MCG deployment with experimentalCapabilities set to '' and using a github main upstream (i.e. without this PR) 2. (Operator 0.0.44) MCG deployment with experimentalCapabilities set to 'initcontainers' and using a github diconnected common upstream (requiring a custom CA) (i.e. with this PR) 3. (Operator 0.0.44) MCG deployment with experimentalCapabilities set to '' and using a github diconnected common upstream. (same as 1.2) and then set the initcontainer capability on the hub. Checked that the .global.experimentalCapabilities property replicated from hub to spoke and the initcontainers have been generated correctly 3.1 (Operator 0.0.44) Change the repo from github to an internal one that does need the custom ca to work 4. (Operator 0.0.43) Test an old operator with a newer common that contains this very branch Note: Once we will make initcontainers a default feature of the operator we will remove the ifs added in this PR and just make it the defaut behaviour. --- .../policies/application-policies.yaml | 3 + acm/templates/policies/ocp-gitops-policy.yaml | 167 ++++++++++++++++++ clustergroup/templates/_helpers.tpl | 2 + .../templates/imperative/_helpers.tpl | 103 ++++++++++- .../templates/imperative/configmap.yaml | 9 + clustergroup/templates/imperative/job.yaml | 21 ++- .../templates/imperative/unsealjob.yaml | 22 ++- clustergroup/templates/plumbing/argocd.yaml | 43 +++++ .../plumbing/trusted-bundle-ca-configmap.yaml | 7 + 9 files changed, 366 insertions(+), 11 deletions(-) create mode 100644 clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml index 6854889..925915c 100644 --- a/acm/templates/policies/application-policies.yaml +++ b/acm/templates/policies/application-policies.yaml @@ -1,4 +1,5 @@ # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} {{- range .Values.clusterGroup.managedClusterGroups }} {{- $group := . }} {{- if not .hostedArgoSites }} @@ -75,6 +76,8 @@ spec: value: {{ $.Values.global.clusterPlatform }} - name: clusterGroup.name value: {{ $group.name }} + - name: global.experimentalCapabilities + value: {{ $.Values.global.experimentalCapabilities }} {{- range .helmOverrides }} - name: {{ .name }} value: {{ .value | quote }} diff --git a/acm/templates/policies/ocp-gitops-policy.yaml b/acm/templates/policies/ocp-gitops-policy.yaml index a0ed611..f46b30c 100644 --- a/acm/templates/policies/ocp-gitops-policy.yaml +++ b/acm/templates/policies/ocp-gitops-policy.yaml @@ -1,3 +1,4 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -24,6 +25,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -44,6 +54,163 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" +{{- if $hasInitContainerCapability }} + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.access.redhat.com/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} +{{- end }}{{/* if hasInitContainerCapability */}} --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/clustergroup/templates/_helpers.tpl b/clustergroup/templates/_helpers.tpl index 83b06a0..cd0f5e8 100644 --- a/clustergroup/templates/_helpers.tpl +++ b/clustergroup/templates/_helpers.tpl @@ -22,6 +22,8 @@ Default always defined top-level variables for helm charts value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} - name: global.privateRepo value: {{ $.Values.global.privateRepo | quote }} +- name: global.experimentalCapabilities + value: {{ $.Values.global.experimentalCapabilities | default "" }} {{- end }} {{/* clustergroup.globalvaluesparameters */}} diff --git a/clustergroup/templates/imperative/_helpers.tpl b/clustergroup/templates/imperative/_helpers.tpl index f75e781..64786ac 100644 --- a/clustergroup/templates/imperative/_helpers.tpl +++ b/clustergroup/templates/imperative/_helpers.tpl @@ -4,6 +4,29 @@ # 3. If it is an http secret, generate the correct URL # 4. If it is an ssh secret, create the private ssh key and make sure the git clone works +{{/* fetch-ca InitContainer */}} +{{- define "imperative.initcontainers.fetch-ca" }} +- name: fetch-ca + image: {{ $.Values.clusterGroup.imperative.image }} + imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles +{{- end }} + {{/* git-init InitContainer */}} {{- define "imperative.initcontainers.gitinit" }} - name: git-init @@ -12,6 +35,9 @@ env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -37,11 +63,47 @@ mkdir /git/{repo,home}; git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; +{{- end }} + +{{/* git-init-ca InitContainer */}} +{{- define "imperative.initcontainers.gitinit-ca" }} +- name: git-init + image: {{ $.Values.clusterGroup.imperative.image }} + imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} + env: + - name: HOME + value: /git/home volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs + command: + - 'sh' + - '-c' + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="{{ $.Values.global.repoURL }}"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + echo "USER/PASS: ${URL}"; + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + echo "SSH: ${URL}"; + fi; + fi; + mkdir /git/{repo,home}; + git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; {{- end }} - {{/* Final done container */}} {{- define "imperative.containers.done" }} - name: "done" @@ -56,6 +118,19 @@ {{- end }} {{/* volume-mounts for all containers */}} +{{- define "imperative.volumemounts_ca" }} +- name: git + mountPath: "/git" +- name: values-volume + mountPath: /values/values.yaml + subPath: values.yaml +- mountPath: /var/run/kube-root-ca + name: kube-root-ca +- mountPath: /var/run/trusted-ca + name: trusted-ca-bundle +- mountPath: /tmp/ca-bundles + name: ca-bundles +{{- end }} {{- define "imperative.volumemounts" }} - name: git mountPath: "/git" @@ -63,3 +138,29 @@ mountPath: /values/values.yaml subPath: values.yaml {{- end }} + +{{/* volumes for all containers */}} +{{- define "imperative.volumes" }} +- name: git + emptyDir: {} +- name: values-volume + configMap: + name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- end }} + +{{- define "imperative.volumes_ca" }} +- name: git + emptyDir: {} +- name: values-volume + configMap: + name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +- configMap: + name: kube-root-ca.crt + name: kube-root-ca +- configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle +- name: ca-bundles + emptyDir: {} +{{- end }} diff --git a/clustergroup/templates/imperative/configmap.yaml b/clustergroup/templates/imperative/configmap.yaml index 8ca5a17..9f2d615 100644 --- a/clustergroup/templates/imperative/configmap.yaml +++ b/clustergroup/templates/imperative/configmap.yaml @@ -9,4 +9,13 @@ metadata: data: values.yaml: | {{ tpl $valuesyaml . | indent 4 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: {{ $.Values.clusterGroup.imperative.namespace}} + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' {{- end }} diff --git a/clustergroup/templates/imperative/job.yaml b/clustergroup/templates/imperative/job.yaml index cb09264..0b82d47 100644 --- a/clustergroup/templates/imperative/job.yaml +++ b/clustergroup/templates/imperative/job.yaml @@ -1,3 +1,5 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + {{- if not (eq .Values.enabled "plumbing") }} {{/* Define this if needed (jobs defined */}} {{- if (and $.Values.clusterGroup.imperative (gt (len $.Values.clusterGroup.imperative.jobs) 0)) -}} @@ -22,7 +24,12 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there +{{- if $hasInitContainerCapability }} + {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} + {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} +{{- else }} {{- include "imperative.initcontainers.gitinit" . | indent 12 }} +{{- end }} {{- range $.Values.clusterGroup.imperative.jobs }} {{- if ne (.disabled | default "false" | toString | lower ) "true" }} - name: {{ .name }} @@ -53,17 +60,21 @@ spec: {{- end }} - {{ .playbook }} volumeMounts: +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumemounts_ca" . | indent 16 }} +{{- else }} {{- include "imperative.volumemounts" . | indent 16 }} +{{- end }} {{- end }} {{- end }} containers: {{- include "imperative.containers.done" . | indent 12 }} volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumes_ca" . | indent 12 }} +{{- else }} + {{- include "imperative.volumes" . | indent 12 }} +{{- end }} restartPolicy: Never {{- end }} {{- end }} diff --git a/clustergroup/templates/imperative/unsealjob.yaml b/clustergroup/templates/imperative/unsealjob.yaml index b251c5d..e0ff2c7 100644 --- a/clustergroup/templates/imperative/unsealjob.yaml +++ b/clustergroup/templates/imperative/unsealjob.yaml @@ -1,3 +1,5 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + {{/* If the backend is not set at all we default to "vault". See https://www.github.com/helm/helm/issues/3308 why we avoid using the default function */}} {{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} @@ -24,7 +26,13 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there +{{- if $hasInitContainerCapability }} + + {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} + {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} +{{- else }} {{- include "imperative.initcontainers.gitinit" . | indent 12 }} +{{- end }} - name: unseal-playbook image: {{ $.Values.clusterGroup.imperative.image }} imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} @@ -47,15 +55,19 @@ spec: - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - "common/ansible/playbooks/vault/vault.yaml" volumeMounts: +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumemounts_ca" . | indent 16 }} +{{- else }} {{- include "imperative.volumemounts" . | indent 16 }} +{{- end }} containers: {{- include "imperative.containers.done" . | indent 12 }} volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumes_ca" . | indent 12 }} +{{- else }} + {{- include "imperative.volumes" . | indent 12 }} +{{- end }} restartPolicy: Never {{- end }} {{- end }} diff --git a/clustergroup/templates/plumbing/argocd.yaml b/clustergroup/templates/plumbing/argocd.yaml index 12e362a..dcce1b4 100644 --- a/clustergroup/templates/plumbing/argocd.yaml +++ b/clustergroup/templates/plumbing/argocd.yaml @@ -1,3 +1,5 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + {{- if (eq .Values.enabled "all") }} {{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} apiVersion: argoproj.io/v1beta1 @@ -68,9 +70,50 @@ spec: rbac: defaultPolicy: role:admin repo: +{{- if $hasInitContainerCapability }} + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: {{ $.Values.clusterGroup.imperative.image }} + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - emptyDir: {} + name: ca-bundles +{{- if len $.Values.clusterGroup.argoCD.initContainers }} +{{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} +{{- end }} +{{- else }} {{- if len $.Values.clusterGroup.argoCD.initContainers }} initContainers: {{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} {{- end }} +{{- end }}{{/* if $hasInitContainerCapability */}} {{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} sidecarContainers: {{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} diff --git a/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml b/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml new file mode 100644 index 0000000..8b2a9cd --- /dev/null +++ b/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml @@ -0,0 +1,7 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} + labels: + config.openshift.io/inject-trusted-cabundle: 'true' From 4e75d71f061dc2c9ba2826fc74549fcb83149a48 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 11 Apr 2024 18:12:05 +0200 Subject: [PATCH 35/64] Update tests --- .../acm-industrial-edge-factory.expected.yaml | 9 +++ tests/acm-industrial-edge-hub.expected.yaml | 11 +++ tests/acm-medical-diagnosis-hub.expected.yaml | 11 +++ tests/acm-naked.expected.yaml | 9 +++ tests/acm-normal.expected.yaml | 13 +++ ...roup-industrial-edge-factory.expected.yaml | 39 ++++++--- ...tergroup-industrial-edge-hub.expected.yaml | 69 +++++++++++----- ...rgroup-medical-diagnosis-hub.expected.yaml | 81 ++++++++++++++----- tests/clustergroup-naked.expected.yaml | 37 ++++++--- tests/clustergroup-normal.expected.yaml | 59 +++++++++----- 10 files changed, 266 insertions(+), 72 deletions(-) diff --git a/tests/acm-industrial-edge-factory.expected.yaml b/tests/acm-industrial-edge-factory.expected.yaml index 66c0c0b..0291231 100644 --- a/tests/acm-industrial-edge-factory.expected.yaml +++ b/tests/acm-industrial-edge-factory.expected.yaml @@ -89,6 +89,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index 59c7e60..a912f0c 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -248,6 +248,8 @@ spec: value: aws - name: clusterGroup.name value: factory + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -296,6 +298,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index 3a65a6b..3ac5fe1 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -239,6 +239,8 @@ spec: value: aws - name: clusterGroup.name value: region-one + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -287,6 +289,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT diff --git a/tests/acm-naked.expected.yaml b/tests/acm-naked.expected.yaml index 880ef74..4f0ac75 100644 --- a/tests/acm-naked.expected.yaml +++ b/tests/acm-naked.expected.yaml @@ -90,6 +90,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index af97f53..1a3f6e7 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -642,6 +642,8 @@ spec: value: aws - name: clusterGroup.name value: acm-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -738,6 +740,8 @@ spec: value: aws - name: clusterGroup.name value: acm-provision-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -786,6 +790,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index 851119a..39ec60c 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -198,6 +198,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -230,6 +240,15 @@ data: --set clusterGroup.name=factory --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-factory + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -359,6 +378,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -384,9 +406,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -419,12 +438,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-factory + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-factory restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -527,6 +546,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index 611ecbb..8355852 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -359,6 +359,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -391,6 +401,15 @@ data: --set clusterGroup.name=datacenter --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-datacenter + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -520,6 +539,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -545,9 +567,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -580,12 +599,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -615,6 +634,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -640,9 +662,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -677,12 +696,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -821,6 +840,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -884,6 +905,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -938,6 +961,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -992,6 +1017,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps", @@ -1076,6 +1103,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1130,6 +1159,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1211,6 +1242,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 9855500..819e2ef 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -318,6 +318,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-hub + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -447,6 +466,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -472,9 +494,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -507,12 +526,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -542,6 +561,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -567,9 +589,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -604,12 +623,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -706,6 +725,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -760,6 +781,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -814,6 +837,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -868,6 +893,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -922,6 +949,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -976,6 +1005,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1030,6 +1061,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1084,6 +1117,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1156,6 +1191,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1210,6 +1247,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1264,6 +1303,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1327,6 +1368,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1390,6 +1433,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index 194bfa8..b8e329d 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -83,6 +83,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: common-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -212,6 +231,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -237,9 +259,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -274,12 +293,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/plumbing/argocd.yaml diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index f038446..b3387af 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -280,6 +280,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -409,6 +428,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -434,9 +456,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -469,12 +488,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -504,6 +523,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -529,9 +551,6 @@ spec: mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -566,12 +585,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -670,6 +689,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -736,6 +757,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: From 9b965559c08931f5625aea50772f8d3a97f12b94 Mon Sep 17 00:00:00 2001 From: Lester Claudio Date: Thu, 11 Apr 2024 14:58:13 -0600 Subject: [PATCH 36/64] Support for issue #459 The changes here support the "Support for merging of namespaces, projects, subscriptions and application in overrides/values-common.yaml #459" issue that was opened by Northrop Grumman Files that were changed are: clustergroup/templates/_helpers.tpl clustergroup/templates/core/namespaces.yaml clustergroup/templates/core/operatorgroup.yaml clustergroup/templates/plumbing/projects.yaml clustergroup/values.schema.json examples/values-example.yaml The idea is that if you define the projects section, or the namespaces section, in two different values files using a map construct we will be able to merge both definition of projects into the final rendering of the manifests. The new structure for projects is as follows: ``` clusterGroup: ... projects: project1: ``` The new structure for namespaces is as follows: ``` clusterGroup: ... namespaces: namespace1: open-cluster-management: labels: openshift.io/node-selector: "" kubernetes.io/os: linux annotations: openshift.io/cluster-monitoring: "true" owner: "namespace owner" ``` The user would need to choose to use a list or a hashmap object. The user would not be able to use a mix of hashes and list to describe projects or namespaces. --- clustergroup/templates/_helpers.tpl | 152 ++++++++++++++++++ clustergroup/templates/core/namespaces.yaml | 10 ++ .../templates/core/operatorgroup.yaml | 10 ++ clustergroup/templates/plumbing/projects.yaml | 14 +- clustergroup/values.schema.json | 18 ++- examples/values-example.yaml | 18 +++ 6 files changed, 218 insertions(+), 4 deletions(-) diff --git a/clustergroup/templates/_helpers.tpl b/clustergroup/templates/_helpers.tpl index 83b06a0..7e76465 100644 --- a/clustergroup/templates/_helpers.tpl +++ b/clustergroup/templates/_helpers.tpl @@ -70,3 +70,155 @@ Default always defined valueFiles to be included in Applications but with a pref {{- end }} {{/* range $.Values.global.extraValueFiles */}} {{- end }} {{/* if $.Values.global.extraValueFiles */}} {{- end }} {{/* clustergroup.app.globalvalues.prefixedvaluefiles */}} + +{{/* +Helper function to generate AppProject from a map object +Called from common/clustergroup/templates/plumbing/projects.yaml +*/}} +{{- define "clustergroup.template.plumbing.projects.map" -}} +{{- $projects := index . 0 }} +{{- $namespace := index . 1 }} +{{- $enabled := index . 2 }} +{{- range $k, $v := $projects}} +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: {{ $k }} +{{- if (eq $enabled "plumbing") }} + namespace: openshift-gitops +{{- else }} + namespace: {{ $namespace }} +{{- end }} +spec: + description: "Pattern {{ . }}" + destinations: + - namespace: '*' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' + sourceRepos: + - '*' +status: {} +--- +{{- end }} +{{- end }} + +{{/* + Helper function to generate AppProject from a list object. + Called from common/clustergroup/templates/plumbing/projects.yaml +*/}} +{{- define "clustergroup.template.plumbing.projects.list" -}} +{{- $projects := index . 0 }} +{{- $namespace := index . 1 }} +{{- $enabled := index . 2 }} +{{- range $projects}} +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: {{ . }} +{{- if (eq $enabled "plumbing") }} + namespace: openshift-gitops +{{- else }} + namespace: {{ $namespace }} +{{- end }} +spec: + description: "Pattern {{ . }}" + destinations: + - namespace: '*' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' + sourceRepos: + - '*' +status: {} +{{- end }} +{{- end }} + +{{/* + Helper function to generate Namespaces from a map object. + Arguments passed as a list object are: + 0 - The namespace hash keys + 1 - Pattern name from .Values.global.pattern + 2 - Cluster group name from .Values.clusterGroup.name + Called from common/clustergroup/templates/core/namespaces.yaml +*/}} +{{- define "clustergroup.template.core.namespaces.map" -}} +{{- $ns := index . 0 }} +{{- $patternName := index . 1 }} +{{- $clusterGroupName := index . 2 }} + +{{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ $k }} + {{- if ne $v nil }} + labels: + argocd.argoproj.io/managed-by: {{ $patternName }}-{{ .clusterGroupName }} + {{- if $v.labels }} + {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }} + {{- if $v.annotations }} + annotations: + {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }}{{- /* if $v.annotations */}} + {{- end }} +spec: +--- +{{- end }}{{- /* range $k, $v := $ns */}} +{{- end }} + +{{- /* + Helper function to generate OperatorGroup from a map object. + Arguments passed as a list object are: + 0 - The namespace hash keys + 1 - The operatorExcludes section from .Values.clusterGroup.operatorgroupExcludes + Called from common/clustergroup/templates/core/operatorgroup.yaml +*/ -}} +{{- define "clustergroup.template.core.operatorgroup.map" -}} +{{- $ns := index . 0 }} +{{- $operatorgroupExcludes := index . 1 }} +{{- if or (empty $operatorgroupExcludes) (not (has . $operatorgroupExcludes)) }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} + {{- if $v }} + {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: {{ $k }}-operator-group + namespace: {{ $k }} +spec: + targetNamespaces: + {{- if (hasKey $v "targetNamespaces") }} + {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}} + - {{ . }} + {{- end }}{{- /* End range targetNamespaces */}} + {{- else }} + - {{ $k }} + {{- end }}{{- /* End of if hasKey $v "targetNamespaces" */}} + {{- end }}{{- /* End if $v.operatorGroup */}} + {{- else }}{{- /* else if $v == nil */}} +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: {{ $k }}-operator-group + namespace: {{ $k }} +spec: + targetNamespaces: + - {{ $k }} + {{- end }}{{- /* end if $v */}} + {{- end }}{{- /* End range $k, $v = $ns */}} +{{- end }}{{- /* End of if operatorGroupExcludes */}} +{{- end }} {{- /* End define "clustergroup.template.core.operatorgroup.map" */}} diff --git a/clustergroup/templates/core/namespaces.yaml b/clustergroup/templates/core/namespaces.yaml index dfa6ae1..c9a26af 100644 --- a/clustergroup/templates/core/namespaces.yaml +++ b/clustergroup/templates/core/namespaces.yaml @@ -1,4 +1,13 @@ {{- if not (eq .Values.enabled "plumbing") }} +{{- /* + We first check if namespaces are defined as a map. If it is we call + our helper function in _helpers.tpl to process the namespaces + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.namespaces }} +{{- template "clustergroup.template.core.namespaces.map" (list .Values.clusterGroup.namespaces $.Values.global.pattern $.Values.clusterGroup.name) }} +{{- else }} {{- range $ns := .Values.clusterGroup.namespaces }} apiVersion: v1 kind: Namespace @@ -30,3 +39,4 @@ spec: --- {{- end }} {{- end }} +{{- end }} diff --git a/clustergroup/templates/core/operatorgroup.yaml b/clustergroup/templates/core/operatorgroup.yaml index cd679bd..17aa966 100644 --- a/clustergroup/templates/core/operatorgroup.yaml +++ b/clustergroup/templates/core/operatorgroup.yaml @@ -1,4 +1,13 @@ {{- if not (eq .Values.enabled "plumbing") }} +{{- /* + We first check if namespaces are defined as a map. If it is we call + our helper function in _helpers.tpl to process the projects + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.namespaces }} +{{- template "clustergroup.template.core.operatorgroup.map" (list .Values.clusterGroup.namespaces .Values.clusterGroup.operatorgroupExcludes) }} +{{- else }} {{- range $ns := .Values.clusterGroup.namespaces }} {{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }} @@ -35,4 +44,5 @@ spec: --- {{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}} {{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}} +{{- end }} {{- /* if kindIs "map" $ns */}} {{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}} diff --git a/clustergroup/templates/plumbing/projects.yaml b/clustergroup/templates/plumbing/projects.yaml index 7f3b8c2..1050f2e 100644 --- a/clustergroup/templates/plumbing/projects.yaml +++ b/clustergroup/templates/plumbing/projects.yaml @@ -1,5 +1,14 @@ {{- if not (eq .Values.enabled "core") }} {{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} +{{- /* + We first check if projects are defined as a map. If it is we call + our helper function in _helpers.tpl to process the projects + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.projects }} +{{- template "clustergroup.template.plumbing.projects.map" (list .Values.clusterGroup.projects $namespace $.Values.enabled) }} +{{- else }} {{- range .Values.clusterGroup.projects }} apiVersion: argoproj.io/v1alpha1 kind: AppProject @@ -25,5 +34,6 @@ spec: - '*' status: {} --- -{{- end }} -{{- end }} +{{- end }} {{- /* end range */ -}} +{{- end }} {{- /* end if map */ -}} +{{- end }} {{- /* end if not "core" */ -}} diff --git a/clustergroup/values.schema.json b/clustergroup/values.schema.json index 0ab0fc3..275a80a 100644 --- a/clustergroup/values.schema.json +++ b/clustergroup/values.schema.json @@ -254,7 +254,14 @@ "description": "Templated value file paths." }, "namespaces": { - "type": "array", + "anyOf": [ + { + "type": "array" + }, + { + "type": "object" + } + ], "description": "This is the array of namespaces that the VP framework will create. In addition, operator groups will also be created for each namespace.", "items": { "$ref": "#/definitions/Namespaces" @@ -312,7 +319,14 @@ } }, "projects": { - "type": "array", + "anyOf": [ + { + "type": "array" + }, + { + "type": "object" + } + ], "description": "The list of projects that will be created in the ArgoCD instances.", "items": { "type": "string" diff --git a/examples/values-example.yaml b/examples/values-example.yaml index 6c006b0..84682e2 100644 --- a/examples/values-example.yaml +++ b/examples/values-example.yaml @@ -15,6 +15,18 @@ clusterGroup: - /values/{{ .Values.global.clusterPlatform }}.yaml - /values/{{ .Values.global.clusterVersion }}.yaml + # + # You can define namespaces using hashes and not as a list like so: + # namespaces: + # open-cluster-management: + # labels: + # openshift.io/node-selector: "" + # kubernetes.io/os: linux + # annotations: + # openshift.io/cluster-monitoring: "true" + # owner: "namespace owner" + # application-ci: + # You cannot mix list and hashes to define namespaces namespaces: - open-cluster-management: labels: @@ -58,6 +70,12 @@ clusterGroup: name: openshift-pipelines-operator-rh csv: redhat-openshift-pipelines.v1.5.2 + # + # You can define projects using hashes like so: + # projects: + # hub: + # datacenter: + # You cannot mix list and hashes to define projects. projects: - datacenter From 7128a3f3e583504c3127b96482a8b2c567247ae1 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 12 Apr 2024 12:01:48 +0200 Subject: [PATCH 37/64] Drop unused piece of schema json Not entirely sure how this slipped in. Reported-by: Martin Jackson --- clustergroup/values.schema.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/clustergroup/values.schema.json b/clustergroup/values.schema.json index 0ab0fc3..ac45b8a 100644 --- a/clustergroup/values.schema.json +++ b/clustergroup/values.schema.json @@ -351,9 +351,6 @@ "items": { "$ref": "#/definitions/ManagedClusterGroup" } - }, - "externalClusters": { - "type": "array" } }, "required": [ From 36b2cb658ccfe848c6d3c2a07593366953eedccd Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Sun, 14 Apr 2024 13:34:26 +0200 Subject: [PATCH 38/64] Small cleanup to remove unneeded log messages --- clustergroup/templates/imperative/_helpers.tpl | 4 ---- tests/clustergroup-industrial-edge-factory.expected.yaml | 2 -- tests/clustergroup-industrial-edge-hub.expected.yaml | 4 ---- tests/clustergroup-medical-diagnosis-hub.expected.yaml | 4 ---- tests/clustergroup-naked.expected.yaml | 2 -- tests/clustergroup-normal.expected.yaml | 4 ---- 6 files changed, 20 deletions(-) diff --git a/clustergroup/templates/imperative/_helpers.tpl b/clustergroup/templates/imperative/_helpers.tpl index 64786ac..1800b5f 100644 --- a/clustergroup/templates/imperative/_helpers.tpl +++ b/clustergroup/templates/imperative/_helpers.tpl @@ -49,7 +49,6 @@ U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -57,7 +56,6 @@ chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; @@ -89,7 +87,6 @@ U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -97,7 +94,6 @@ chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index 39ec60c..3acb8a9 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -392,7 +392,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -400,7 +399,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index 8355852..c022acf 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -553,7 +553,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -561,7 +560,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; @@ -648,7 +646,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -656,7 +653,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 819e2ef..8d74bcb 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -480,7 +480,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -488,7 +487,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; @@ -575,7 +573,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -583,7 +580,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index b8e329d..842bf58 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -245,7 +245,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -253,7 +252,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index b3387af..1e5719d 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -442,7 +442,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -450,7 +449,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; @@ -537,7 +535,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -545,7 +542,6 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; mkdir /git/{repo,home}; From 247ee651da63e3ecd2faaf56335a46270b2a77eb Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Sun, 14 Apr 2024 13:46:50 +0200 Subject: [PATCH 39/64] Support for cluster-wide proxy If the clusterwide proxy object is configured, let's support it when we clone the git repos for the imperative framework. --- clustergroup/templates/imperative/_helpers.tpl | 12 ++++++++++++ ...lustergroup-industrial-edge-factory.expected.yaml | 6 ++++++ tests/clustergroup-industrial-edge-hub.expected.yaml | 12 ++++++++++++ .../clustergroup-medical-diagnosis-hub.expected.yaml | 12 ++++++++++++ tests/clustergroup-naked.expected.yaml | 6 ++++++ tests/clustergroup-normal.expected.yaml | 12 ++++++++++++ 6 files changed, 60 insertions(+) diff --git a/clustergroup/templates/imperative/_helpers.tpl b/clustergroup/templates/imperative/_helpers.tpl index 1800b5f..f28b566 100644 --- a/clustergroup/templates/imperative/_helpers.tpl +++ b/clustergroup/templates/imperative/_helpers.tpl @@ -58,6 +58,12 @@ git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; @@ -96,6 +102,12 @@ git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index 3acb8a9..da52151 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -401,6 +401,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index c022acf..f84bbeb 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -562,6 +562,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; @@ -655,6 +661,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 8d74bcb..9effcba 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -489,6 +489,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; @@ -582,6 +588,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; diff --git a/tests/clustergroup-naked.expected.yaml b/tests/clustergroup-naked.expected.yaml index 842bf58..13e66fc 100644 --- a/tests/clustergroup-naked.expected.yaml +++ b/tests/clustergroup-naked.expected.yaml @@ -254,6 +254,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index 1e5719d..8d3d4d5 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -451,6 +451,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; @@ -544,6 +550,12 @@ spec: git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; From 86164c6a0da9860382ba54325565e4657e2903fb Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Sun, 14 Apr 2024 14:09:15 +0200 Subject: [PATCH 40/64] Update ESO to 0.9.14 --- golang-external-secrets/Chart.yaml | 2 +- .../charts/external-secrets-0.9.13.tgz | Bin 96126 -> 0 bytes .../charts/external-secrets-0.9.14.tgz | Bin 0 -> 99176 bytes golang-external-secrets/values.yaml | 6 +- ...rets-industrial-edge-factory.expected.yaml | 507 +++++++++++++++--- ...-secrets-industrial-edge-hub.expected.yaml | 507 +++++++++++++++--- ...ecrets-medical-diagnosis-hub.expected.yaml | 507 +++++++++++++++--- ...olang-external-secrets-naked.expected.yaml | 507 +++++++++++++++--- ...lang-external-secrets-normal.expected.yaml | 507 +++++++++++++++--- 9 files changed, 2239 insertions(+), 304 deletions(-) delete mode 100644 golang-external-secrets/charts/external-secrets-0.9.13.tgz create mode 100644 golang-external-secrets/charts/external-secrets-0.9.14.tgz diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml index a2a2b06..6e2f5b0 100644 --- a/golang-external-secrets/Chart.yaml +++ b/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.13" + version: "0.9.14" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/golang-external-secrets/charts/external-secrets-0.9.13.tgz b/golang-external-secrets/charts/external-secrets-0.9.13.tgz deleted file mode 100644 index 464befd970d337e51451d4871cd1a9aef6458da2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 96126 zcmV)JK)b&miwFP!000001ML0#cH2glFpBrzehM7sn`P(xMACAcq>tC>GozLqx7s%? zNw&XUvu4Fb5|R*s00#giE15jjd4cm}zrA-|Pyhi`6$w&uQnkKsIu;9c*;Tdgm+(sw zW(kXjc{t6&A|L;y|MnExkKccf|GWR=_fPfzmF+M4&%giihaZ33hyVANr~A+Me|+|r z;QKACWu-0if@MMQmw7b33gfV~pXv9nw1xHaKfGdDF}h>(xVJg*fPZ-Yy!HHle7cY4 z|HJeB?|%64`7=2GANHSq_m|*lZ!73%fAaHZi|AvR3qC$+tS2&1U(FN5kM+Eq%DMpkW~Y3wtRDJ^p|G7VMAq|F6;0;nT;DaIOOWKm3a0 zh4AnAMQ|O)ag@xb>?XbYk4yX;F8xsuBn;uhf4F|c|Ftr4akqd!!>Pp4l;H_Hx{;HM z)7kL+S0Gk|^F_=63jI+6cl`gu{*O;R{@+FGIRAI=&tIO6iZ8{cbC~e|_s^c!@c)lM z06hNRMXR5GaK-Xq5{5}I3m0*E7tVrwIh}@iezA<>yZ__SqvIq1lo@70kwVAIC<&H% zlw2yxaK;DP3+~coa2v&Okc2P_^ad;(EEfR_c$c#x&B8}OG!A1pgfP?o8f1X1m)SH7 zo*-2Tzc9Fz;a)Jg3!o1mLYR*Qk8jvAE*|T{eLH&e=q(NqCGg>#P-X!Cueb_>S#)s` zW=N?JtL8y^p?{eNESUvY=`F4lh|EQFxrA}x!}+5rOJJ)&;Fiz@HVjJ(UJ*rl5&ZUB zFycJZKY-u`zyJPdQ;fhF|se+TWi z-^TyvqnBS6c=_>>ARmG+1OIzU*ZR@_IfhI9+iyd_2p7QJ1cUmW8R18RU|4p;cPXF6 zI~;NJk;Ti9_k0g5Ocu?;;D3T5TPD-shwtb=qxsqL;v)JI42FY1j1|JN@JZ1!5Ao@T z@bKjfgpz{)Ua~m4hycd`pF|rNJ^B>#v8jK7GvH|BL%bfJJMe^h`KU0Q#)0eqaRasC%=;>F+WPqtj60tX*tbjo4H zzm@B({Lyi7iwwB#i(v3?`S9QJL2WEPsr@}`{?E$o(~cG2j9|y{Na<+BJ>k7#HVI>! z7}kM%rx>yFXA;D*gtqepCu?qbMCK8L1@B+9&@5 z7$Ysh8Z=f%;iBzqIJx5k$(wZ+W;fAPeSZs#fO-W}f+kn*HVj=ioh<6omEy`FLQ@tnM0pc)-7V*T!;J zyN#xN6*U3qNjpSJetz_A+n|ZQWsT#N!wKRayu${NCTQeZi}JHQ>rYk~U_V32H%Fhp=ibD-q{$a?}eq1X-( z;`&OEz+-lkE;AbejYg}2nf^2qV@RT0N^UQt@W%Urn3m=dAk(|xiTG2&E`c>sGBxo} zCD-z8eTEfiRwvtJrdGh-w|2_6ZMP2nZ=Db21_3nnI=Tm#^uPO0YxbXK&%gW5+y8gc z1U5reRtqK;l;TN}7Aw>dyS^oQXm47G~rDUqcnFNwXMKpebn!sqva=!iM1&BU}#DUO2S$GrS zLH#4jk!HL>#dr4ztNr;%Qe5E6pR;0m^+p4-E0|ZM))ELm@EIkp5;JP|Nlw>w7>jha zathd1PNL&9{#t&foe2L!T-kgdw@jPOYI~)89t8FqS=oxbU^cT7!*K#nRhWUxVe7wa z1lv^}xEp&|G0`LK4lIjwj=!8$`kklOVbb+FYHX_-rn(iwu>pXVSybHNUtuHqt}8!m z1i`B`FW!a4ZJJ$oZAj}@ek+VRS$w>-``mXC}IB&mDeX9ep>@wG(G^CSh zJeXlH98R;@Fbn^C87{*iNEL96S^T#yDnMP2MbGNgIG%V2L%bA!bD`@}$<;m_5%a$_ zllX>p;4J+uLyhLN3ZYsZve_*A+lzLvDpfBK*DwKGkQJ+gU4<+zu72f%bsZ4{fj7+a zlPsNtBkT?TfZ;mkuYI#RKZ5Wg&{;vaIJw{v8~k{NE33zgM)3QaJOX(FtIsZN{Z@1# z#~s6m^3@Mla6!hB%P{y~*Wuk>@V{*KiRe%Vxejx`~*)Kp0XMi8@ zteSd>B?`H|?d#PK>X@wYk9dT66p45I5POf|y z?YHVhtF90IeqV((6wi0k&6pbQE)Bwps~5o-``-Op`7KJKB4Y7T7_&RL!D%uBM*7*) zN}olTMMR$YuirZmH@ZGAlbh<2!sMnuN@iMu^r@@eVD;yISJJMDBv5=zx?-7CB~lF70Lf z!3@HC_Wh4u|GSH3 zt^aLTR~)HJ@ppbHgeG`>mGOe)*-~kIvN}n>+T-D3HhBmdWT|O0Ao>QF&!gnvhD9*~ zlrK;JODDRw8m&T$)>t0<@*!ch1y=s%yu^kPD~sH+v7oJ^k@}kN<-K;^0Tuf90N?k_HIn(kbxxy;}~q zfXTCE%mu??02_UkrOSnwU>FSGFF107o6p5g2lQi27>B-7*mgRXeg=XPpgi?%lI&EvdVR1C0C_Qlt zWIP?)<;vSu2S|F6qAb?5j>_EnqHfok>LzTNhd-IkHX<(Nj=(uh(`*(cHs?=llW|=& z5Hzo4I2>+(DgF+BfLr)gAPiXUX?THSO4xVo7J99s#Xk0yFDJhMpCeG0c|146svCnX z_gJ;Tex;1o18olcpEy}}7SJUBKl^@#|NG(DGtd9+qHW6mNehv@92?923XO|b-?N}! znxd?6xRb+I9UiQIKQEpWMj-xUw74lF-_U3!tFKQtldT%^3e1#Ka4Vs1#H*Y2sGv!h6bsQg_9_6cXJgZ7;P3cBz>QkW# zJW^`v3gK=f8&x`l-lQw!rk%bt5jSO@tS~j?rkW-qQ-qRJEtr(fK5RBSPJST)rXiSw zc!0U+O0n(ObvR|ii!7bDF&w}DK3>;VxdsT0d%uL&i-Go&Wfaf&YHqYlulvtOPZeub zef0SVzD38XG;8*?m4fLdS6Ui+3yzCl08G$znPySxL^rI>uIT{}4o?s0hjaA<>b74u z{P+g`&SlzonX!0fOY~cQ1%mB6HaAR;(Zb7^W%WT&?wzJ6i>srXJqlz-D5dk}AiddV z@#2c@i-~eTCUX_36a+9#a&U6|@w>Cy4?$2#zxzK!?U$go=>R~y%o0p4cJM1EFFcff zzQHLs-rNP{wqz@=SP_T}hm^t!GcGQc`4wz?jL`)YHI1YJ79`mV8SaISS-_= z@nyjC!}Y<`7g?BJ1$>G0+9~xJhh$~MC$kXXKw;VWKPRhdWMSuv`okz|cGneAcof4syPs(W6I|q0Yh( zmV#MS8ZsZ#sUS%mPvUgKlM`d-@xj5-@cqHExEjr8+Hi{u){_-c-8WZ5%ay-(UlzJB zaK}W93g2T+026l>lYP?t<2efe5CBOyJU9c9NfVK3kdldDv@$q~Y%mbMt7SY3IJPZd zjA?qAM8B%hb9qk0XTZHlL{4dPj^9JPy)yQk-N8UOZ?H_X5pOtZUg@urfL0Ddk}XVM zvqUG=F=5DPvP5(>p5bK~=h5YmWz(yufZ6E47SWJ4lMr%;Gx|o^ylNA3-5k6$v^wcO z5C(HREJSR08<`l8Z?-%W{1bxl^yS%knK6~ljUQ3jwE;r%v=FiYC`{;zUm{_mQKgxb z=d+6=q__EUGLH(p7XJ-UFYq8&2RK#x2V#AC z_0ZDl2OQXypY)JP+vBbx^D`Jhy-|^tR!~-+;DY1N2850+99@p&S7<-P?ek=qaHVdq zfR_!jk|ZGBUpp{sxG{sx=K+jT5xMRTVb{NGl; zK?vl6YKor%^;;c=M8l}>D$wj!j7^fZ;}yKny6EGJU=D;fTEq>jL`0Fp{ZC}t(lA)0 zGoFSSNhQ~_)8Er1Me;C4b|Ad2L{@ z1qDq*ZJVyi&p9Bv-pj{Lly8fn2#G}ahV4I(JE8RoNHKep?z6;rfs!EmUu;Z8AX zPizm?pCOH{Of5sR5@5qM1B|r{q%1yvSE&+{d|CYyIXL6dGpcu*O()gS`L)l0*WaFrU zUxGEU&7n4g$2cD21RmpfjI%*Ed3)OrYgqD&>vGMQa3xNen^5zq_L0st%ip#w)>KW$ zJ#x%v^?^yq=7k>`@@saEMLJKRrjlyUTYy9b`NO*)kkp~t2LsKPGayPULHDc8^|c>} zffaDLg6}g-_!*uni{?b+niG;XX%gz~xH+3C-82^5hH*T+PEZ$HT5)Jb(nuVio*e}6 zk5`8$s~6HZH69HoND6$at_EA6=C~AnV`%_rZ&4A>EvU9Lj$v8Gx;JA(rVJ!Xe+wIs zD(lTzlPK2<`_M?!rew(yqGlq3ja!d4BUgqloj-@kO_ZexCM-P1ehuFXz`h7hmXkP| z9>(diNuy+QEnZeKFXIV$&)| zC!HE?Q>^3Q;7HBid@=ClUZioH-r^+XTCvEGieB9dSe#>hv@ifpxl8MMnGP|h9K4Z2 z)4r-dG3um2Cm&s=-@MuX{#oPVv?JRKKAgQmoh^MP{&aX1B~1MHt1z3hr0saaWI1oX z%0t7&z#c18xAZI5)6$`Pk)2Ods>7S_xcTx@g}D@uqk^f?UMPod{Eq12MVe0FM({Fs zBRa)tR!w7NwFz#IUULUWJozkO7SmjuO~ZnOWH4?p+{(sH(WvQ`wFVb(4lsI`Rd^5onuVNz;5uegmd(mn zSvT#f6XVC!!a9_*yqMn&wSOVV_7G(5pS3I`7q(^s{wyqD-J0DQe;L95xkeveKp^rK zjuEXQ%D5U6M8~d|tOygX2YM6Plg$>D3_$;sF$allltG5lZHH8sPJE6KHt^k{w?lI z2#A`ikZ>E4vy~s6hG@6@SaDd77LMh2u_*VP!LC>)_k}61^H`hTprVlfJkUz%iS;;x=9*6edVP$K5EU1l4?*&>K@{VZFPjYTn(` zyLvny)gZsmOCY~QumlsfH5-Dj$dCc05Xe%j7y zIRIgmZL!({J~u^Mt1H<2TDCoqm6aUfF3E` z!fO*!abr2o){5X=SK!Nj5{7sC&NgD(@Jpir$&ARXe>voF?8tW!RG9XCcy>! zot^C&HkJCo2s>=wK*|V+Yu^`P}4r+0+zlH>0lS3(*t_w za573#!GHdjm6tYNTIr~X?Dq}2+oBccX5ak1ON2$2uC%!+(%YT2VqDALU>Z~pWhBIU z$31D(>LhwC4^Ez#)eKJI1GoPkbQp5La~Y_Fb=0?4<`{czrnZJ0;L zc63$7F3!M~z+oHGd0BNdxQFTswFtK2zA0wJkF6H2tJ|6s_2W2NuLmh5KSu(P7^?E z6rw>T7XpSm;z%gOs-U1fJ(!PcTr;$4WS6BLpo|~_@)b6_jT^PEb{L6Lc1{g3tZqn1 z%5Y-n5+1PIG3SaGEXo9gG3i5Y77?T~?MpG}EDbsTC#1eoI2b8z6cJm)pYb1F6Y4dg zf!Bn3O{mv|t~9R+^_tL?wsTGBg;7LWk1N4(m0!Vx;a@SSBfQ9fByDn&1l|Q*mdO9n ziY@sGNA*03=SiBs@I1-=@FaHnf(pd(CFczYLMZ3@)&v2<0bH|&PGfbQ{cABCG;|c# zmHcxI5h~sIM4W`YXLA{l`TC+{HaJFNgl^A%Uh{wI2F^Bmq?~%mNC9) zvjmxg;@uaEIFcC&V|Ev2Qt=Wzxrnlyf|TZI%S+%CD*H!3Gx>uy`y#Dd0W zAor`_UV*SB%O~6C5!Whw<`B*`!>%@-)N#qVAIKAv%jx&sIPxZ@Bvo5>0n&X}a%me? zc6h@u+^jt1#VsUjE<(fLG}x>?r+Kx(J>||Ra8ah|d?Kn_a}q5LAh0mv8PT^$PLk3? zHjJ)mk~CYWX-%In$yweAsM1fNzP6~M4lyUzJg<2@$g&|k!!)Yt5Kr;Vb`JIM{HWG( zkupu-U62}@cR}(lNZtj>)YrQpspegf?#TtI2d5yB@j)haX!i{gq-?*9_Q&urMjPKC(EP@fk4moR2z4^1)s( zSmuM^3B01g|M&mqgKyyvbNVy=pE>@Yt3m6yZ+ZIjJS0umuVI#IPEqiRMfKzeHkeFn zmgoJ}s6yjqt!4tT^6T0I8Jn~r>hkEZ*OrY47|JwGdRbRk4*Zt|iK&x@qrg(MU&M8%; z(5G7JX9Ibj>hKrjBvC%z-T^S7MNJ`J;N7B!6q_3&Q4)sHW?X>u{ zJiJ2pE`i5_2{6l8`=}^Wl!=@#wZ-;P?4m29ifrpS0&Jt=RG3@>kSsNL3PIj9XIR&J zx(W9$^<~sj;VWYbU#oOfG=r<5>j;+tY^aMzbS7P8)B}6sEV1%tI3E$fRQm`>4cX zgmiO-fduAJsHxA=YZkf2D&5y~OLA6nIT^;gbCW&v_1o*TG|XXIv}Fw+H;pY%SO1n- zdJDQ*;jLG_X7_bg#G7S-LcKYA*QgK0DIYklQNy$!&GyOFX6vO}ZNv2@!w=E*?jV`1 z_5GUAb@NClmuiYAXj+^l?y7!dE|FC>dpkfmz5~QuVKwB>(Ym*lz8{+-IAd5w)~<+IfB#0N4Jc*>dGgeH%p2e@a2b`kObz z_xF$Jotby@#VuN@1g^2hEtfV_RfWzd?laArmc5dBSi};S;i8i}73+vHtg6Y8*K8E^ zEX7fygRhBn%~>(MdRfK{SlM#xAMqUXSPuggm9!(V8*)D)gurVD3XkUUFJuTmcz4w9 zVd#>nxKj&u(6KU+C13tRYAxjs${hjrpaUTEJznZD5q{O8bH}t>quj|^Y@K_LHz(%To8_C6Q0mj^S3$n4PQcIRan7NQck(J) z2xs81C|yrY8X)ecAt&Is^Ekn{{R02z<(CMH7T^&crC|<#rN8t7DZaoy;UpYb@MyYrjWY;1!asB{u05HU zi0m%>7hZV;^_;U{wxkU+S+y>j8s;G#EymZF@@`uR64nINh9cVKe(L5shw3O=JN4k- zMKt2gZfhUdJ`Zhe9PtbH^xqJ_(+&Hb=Q$by(ZKpkaaj3HM1g3-bWF9tDe&0fD3I?hfX5XL6q@gUiD|mJn zB!}mG?$%Ex0nBvgTuL&X@xWI68yIzu37t4y9BoD*Z)WFg5Z2jqkS5ob$1gd3RYsVcoKT@>|T;nne ztNi^%ZQ(HBB2Mp!iX!rg3S$3R-WKUPC2!i+ zXH7Nd^@^X>whiW?1y&7z_7%lLUs1fbW?BDR{7M1LZpFXT%inCW>()+oKrS=W`R&gybt10OWgYRqVSiY&=p z$!)M!x3acQG7}mGj4e=v;0w=djIX_To4aAv_j=X<7t($39SPz5wJQiQF027x3&aqQ~zM*kWnAe(E!lh_Nh3UaSCtGPbYBl#??8N$t#W?!xZYGA!&%4V%c8joU$4WJ&eD3Kmcs!+q5|nQjN{>TlHMkoRfJ}y?5D@4X9wt> z`|9u{_>^YXamr@FG1@$$M&Y@+73BCpUbzyy>Ok3I5hgP(ER*U_s?N>LF@A52pfA^` zsvfCbg;VrY?@vSZTywr##=$udQ~MPRm0)YpRg)$Sy{*@3E#A4_%~NTT;h`fkpI#*z zh)YKB-xdLMIEtpxuvg4r+liv#T(Q^(VhB}TxlaEr(gAtt%yuhYI_qHzo=!b*>5QYL zbBhpOZ0nrRL1{)8;eOIC^cVvI3FA_Au-Z+vlSPiPaEAWu_kzzb>}PI-mCuyp0I$39 z*wJH0j~&;+jwdW*TPsfHQKV=dMYc7MB3<|4QDiyJeJ6Od>NaJ6UnVn$1lNWWK6&|e zJfRBNfDo`y`7Ag*2qrX#%7c4@=_F9_FP%=f!J9m@5eH)tLGBb})XR(f+6OhqmjM5N zBpq%3aejVshDfwXr)f+odQ!oMBF)DgT$wqq-mER5`_f>z)5?x;wDUJ-s2529?uPo3 zybR`xU~<=)^xWzyP1#9@H~_YYy(HE&I}1YqZIDwHo-3>i~e3VB>c>Ut%SoTpj%$T6G48G9T@ruQb{g zRTOwfHFZDWvQt`HsLMNI%k>3yQW=|SHg&(nuCBVTU`s#assN!)*rYY>cGb<0_jU8^ z6yF@i>2lVKW2eExuxZ88Kay+cnPxvmWDoyMmP^*0#KL89*s?5l%VK_@n*gYaSY9Z& zaVVaio*ndQ4@jfgRN|`sY$q6v_;qoJQd+yGM@A-LUpLygNR! za@%g)6cXrzav*PE^9qvcTD^kAD@bbHopi{6RzyfxKR8NUI*+G3o~o?X<0+4)YTdWw zT2|$_Tt2HI!X2uZv+xqGRJRjWqr81eA8I&8=_rkbr7hEgS?DE}9U{e0?QLx}#I0p? z>8CR{^#k-5s7Itk*|`qFfI&z%p+|FLAUkTqDIhMyTg$S$6<0x}C-`(`vIMqL)gsl z5;O7ehC=QM<#qpM;bf5VN>mJ1iJ8MsdTVl_J7 z_bOU$9=ft(*>7K#pRrFW^_^T?xz!@CMtdM5H{>VuR=DO8Ltyj+K%_}{;(qru{c&hWDl^zoB*R-nZ z;;1_2^?1tTsmfYCp7MCA)_vz*wp>kUuK)#>blb{L?n+|4q|-DGdF%rH*TLyKEioK_ zM|DLb7tvXsFFPd+tF<=dr|(>@kbjkek*`(iFht_jN$I~!$?WtbcO4U%egCB2UoJpm z=uBZQA*Rz+*_4}GPdaUW8#_7(IIXSJ{&ks!*Ee>GZS4E{qnmOYzrljXJ*G|EUH(B_ z{0N@6i~xde;S?rKF@0zB@U>-Dcuv}5qefs={3AHa&n1SIk7&VH8;5QDR-YoR zC8M_3HqH(dizEdSVijw?4Fbr38g7WM6?m^3w!AdA zDrIZ9l|zhps%~)*JQ3Uf7W1@=n$T603oPlAB1{=3eX^l)zuAX|S7uszIuN99ZX}f*q0RF*IRc|MSIQ}ayh(q<$%PL5HD88%!NG#NcEVkYf z*Cp<aRNdABfez|3*R2CilK|G+DXK9u#(+0*Vo%%0k#foLp;}R9?nII z?4rpw4;63px{vg7y2x9FmC7pxw&?7wldjbNL+5{hLJu6a zwfmu)_qz9OvHa@6DMI;Hyl+bnTkyUue+1u_Ah@k*Hu^-B0?cnjY2e?{#WKs`@7gglM+)Vpsmdc|dW)nNHJSyI>iJM%`Kl#YAh)v=!zaJUA z=Df(4IGhW$K!f`tlM9#fRv)%5Ybn`13XXEax${otw;e*a&)e>$ZZCEJ$vKVwrEXip zpG_{Gt&`|d?qZGPntYNZ!QR-Yw{)=QVgC1;b+Sgfu*)bo5*H0GkWA{rNk8Rs*@2C( zBgc^O{Gy4S;o$i1Ze|1Qe^0rK*Wyd?cyY~g7ouw)+{rfW1dGTU2@K7%D=W>jE1q3Z z<9sdbO5PW{BD5JUzCA(_C`!U0m|rHdMH<2J;@`;Gv#cFIm4_puIF*@PYJVjfdDyJM z^>PwsNm#Vw@(PSztL{#W0;_z;AH`R~GgOvtqtBSLFPhg)u;0}+N^HAY$8ka@C*R5| zmh)^y+)e)wzNchG{GZ4xFqssIxDfRBPP>DZT`hca-fhLo_#%FydG4yMdG5+}AD+7^ z$Jt^UB!z}Oa>VA5quo|Ka_nIX9yvZ}RJUw9amOV7nFYT zzFtku`+9j_FYoIWc)C(+_wVav-L6W@dn81YkY!=Ep4W^Q zO9C&Jc(G)IEqL=usp2wMKHNDcD25@QzmO9J8kN5rEXRD1>S1H;-R<)qbMEUJRLnB?T?WjkH2Z` zu+QSf726*j9>^s;?veReC+D6dhIo;9ZUP`_urP@|R5oHtzXdMVuZR z0Z01-Q?Yy5cAw{tV-x8}7qDV=a}Oxf-FXF%<4R8|#}J{twfFTFhAeNbOQkgdpi6M3 zobg@)u4K8o9(yR*4-N@?y=9Am%?`|Y$YhfqotB-|GWrFhOWcZ;BsH{oRMte;-~ozF zk;~EnVq~VA{L7w+RJk=H>@6U$ZHJLGW7Bp*Spm*_>gwbuB0lLgWp`hh z6OJ!}aK0$+_DcWbGP|O1+8hP%7d*R54E=EYTDrON3*)0=$!rYh3Wm)nIf<0T^5tR? zM_N4r#B_lCWT>}FG)TT8^tqaKr|z^h4=!2D3oB@`94}m!E-x{uKhXOkx~U`)=`$1X z1pq$G5C-mw`Jc*frRSM8oFwiCC&vim8`S3jFXPn`UM=C(5?(D~?@A(&$2#)U3I9|? z4hVXX!2?C4bQWDE2z&Z92~J+V6$0&^kBRiSOJA$UT^@JUy7!(YLF1e(dY3q{H|rgy zHJuu9(Q2a9slu&dh~WL<@sWs=Bo4bwYS3FgUL4nHsUO5bSR!KQ`6}x{5yBl}$60P| zqDM&AzyWONg|OLFfj>>>3zil0uv;u}K`Dpjkn+OtN&wnibST}xucX*LS>{(py^_^o zg~>F#qm3ARR$aFIQXf=qn(mz<#j*ntXki>ypt%=FD0$diSHd0=RYjx{^SLInfzd*R zLL6Qc!6atMHP;r99s?G?#3<}2?k;FB!;*9JC<%osS=TI#U^#FYsnAA94n|b9F4O7* z4I}MN=R_--g|0)hsoO9Z7&;&-v#siIEZ8;M{?e&y(@W%76H?TJ6fcB-EGP)a5q2cR zS7`7R8hnKYV^?3H!B=Q_P!$>o$6KS}kCGxNKIw5@;i?o<&uK?Xg0&swJ~7s!z3H&q z86npRwFZc}*t7n@@~h}8iFC#z|EOw;^^+C_u=S~-g7nJjZHONqwrLl92ORpu?JgF9 z>Kn|%=@m<&d~Ws=RWQlu>trUcKArb0An#Mn;9JvR^=VvMujah~u)zw1OW7lsu<12cc7Z1{N9xs?i?M6~S31Kz<`(?V65=f(p~QQ_d$qZlWd#ffnM zz)RuCiUYt~S-h3STUqW~%#iJmWo1E*#G)Igu@)WeH1`hMan6Hdam9FUoK=?d{LLBt zCY-(VU~)&^M|jGMy5hvJ zS!c2~g~8@gr`=XO>g-_)9(6uw)M?%Im)qXC^?%+rGV2`IX&kyz@BZ`Cxk#U&Frj&p zPv_(J$47@-=f}%1rK(AAt4SDSoJr6yXU*j0I7}t zOtYWzVLqb+@>iX&NP)PtbPK|R`b}x{CM{nHJ%mg+U!)nmA_2dA+VS=sZkF|Qz1_h5rq`crvD{C?Ev+0j z>(p}PiY&EM?n&-kOMW^p$=PuQ_9V-*V#0bd{jr4e!-_Ak8dT zjlHs(ZcuLMtK!5CYMF=Y${K!aP9=wy=gWCGg0JW=lL&Qt%xa?7ZMq&=@+=Q2?T|>r zmB!IDvQv^hP^L|I1g}7qb$|jnHES2*dg!eTDdb+ns0m`61eXN_MOw*pS#Z|TE_3x~ z!Zn{|*p7I^G((z%l5D9dc*HOMGJ#FaY?)5{2*CumJr1*qve@&Jo}cvmq~|AHyrcWL@)QSr=k`j*`pl=;v-5WNX3qbh%sba zArZcSkS`!q|HKy%a^8<8dF41?TLB>#&5Tk6SoF1s6t-SvJY$Q#^*3)|Oe@U|ChS76 zkMR$;X*PpjqRb-q5N#2z(3_)!ldXI5Iore#rn^zhH0{49s~B#gcV)~&^vhRwPjU$e zRIAA-$Dj1aGMjxG4$Ep9@5t|^crV3!mc~(vm&A2jsP=;xpSvOuawCLDe`~~wHB|VZ zJQB7LODzweFIJ7D)iYZPT16d|PrG?Dcw+b)DcfnvKJ8uWD{A(E0l$cS?i#C{4L+7#e(IVLPZpq1jA@Irl(jNGs|njs0%?eKa6f>H2Z z)_&`pCMvZ;Fu;e?H#{W|Wqvz9KRH8WR;1H37O8Rn@k?6Vke7SQ@8AN>L8?zHX(zg`5X%~%gQH@1z; zW0_=;#JO=6E@C0teZ%57z5Q9h4R-bOO~ih_qP-ih!X!-rO6@u|D_rAp1Kw#!lV{vj zQ;bS}Gv@-b@X)#lSwSgY#c}bw@-iu?1PT&7bW$fUbTa__!!WstvNXXG5_Fl+GMr`w zK7W`ccnf`^p{SlQ5}Ms4-#4I{x0oN7P0-URDYt=_X@W%y&@YKp(8hxf)xO5%K%4R! zCVjjU+ll&g;hII-avEJ8Du?mwk4mQw|9_E2iH&dLfa|&kBO(Vk&u|#wKM*FDSf7F3 zQks-mn+IbQN(X!i`SRi-`qDWCGEG$Z8=t>k_`A#$tx7#$zJ$7^*u*I#lPc5!6ppOi z;BbK(mm@%=_%D#aJ|RZzR0XMnBbTr(~1 zo_^{0)~344&AzEa7qoiHOW#pPS%z1(G8#sH^ERAZrRlX*V){?KuTyGz7F>o&m|@MX z5Uw?$Gcjk&ls3ZeB%Rrpefm3e-dt61FPb9(DX%;FbLx&dj^AsKwC1%(UVG%VN1}1X zL+9HErZnOr)`=yqumnZrPW*!}WYhg{!?`tw!6R^z1q4==x>v zHMk3(!8I1|;4iq|b$N&m9({QVI>Fo8q0H9j%_=s+wj_v?6H0f$5a!8Dm-Z~hIq$zI zBeTq6XBG;+!K*N3ozm%f=7#+sxa)#N9l@Ta-LXmxsVbIYOe;sk)jFPZ;@%;IBkH6jY zrn%RU1nd+gA_7u3CnO=zz8td;*PU|NCDvmrYQXM+*~VGYEc!K^y$Di|9Hetj|H_ zpT+~~&{>-aTFmm|JYz{tvXwIb~*6Z2D^qo8=%F`Jc^g5_OKQWirr zAGFgD-KJOL045AH6l-k#xzz+|g`ApnUo9Ut{Fz_!7eSFJLlvr8@L&NS#ku<9aw4ge z25bTR;J4o&@vZ1)PQ)bHVHz*z`n4aH*0o?X4-1Ce&j?-5<^6?0=enJk*offZ)ytKg z%=D_dm4W%fM&-Nv&wqdNA0zzgZ+{!0@8{j%+y5Hz>$fu1S^c;guR!B`Y{4c`9N~jq z8TPRGNBhCMH?wld_^kAM_jJ7D&He;VLweuk)2ndK%3}jGlpLHKfBf#O_CpP+9&#Q; z!;|Rq%AJF`dpkLthhGW|dXBmOhs=P5H&63X-V@cugo~n9REUw+6gkR&Ce0w$3gV1$ zC7Wp*`ecjfW3z*%iJwCll%9`@S_q#?Bo_o9#jLB%^Ic+ExOa95csw<$;c~skn*H5sWe_Mo8YwivDR$e1)y;E?dQQNKEamTi8r(?TgTPwD08y(xW zZ9D1Mwr%b7`+nc9e^>nnbJjY0*1@VZpE<^LkKss?>8HQZ)YsH#_f+E*JUo^5hfsr| z;IIJ32@@zSx*r={H}($iUgKji%Ao;SO4WoT!2^w0iozn-AGF9@?iYTss##iy`#JnO z;*W6F!0kf*o7pfDbH%Rsq%KGmg@+j$k2H0I#wzAm^!m)v^4XfzrUYH52{Hf;gaz)n z3?x|O^Zn@ox-h-l8mxu7?uTOZE<+6Qrjv$YDwL9KG0MxJLF9e+pO~xOcH;QQVXC|Q zc9~kQN+t}McflEJB1}~})5R?DYH3DEab=)WDQ8xhtRP`-NZp(&I0&=+poJzYQesl# zaWF5jXIpr^9l~<{K8j`wW-xUt87v0KQ7g)x`QOTFLi5B&?^@R?x+2iIW`~He&LRD4 zVoL4hX3w;IGLQZ)W`19Hw~~Pk=rQjUuny1EAB8ULx1=`E;hv7}6p+cllPMo>cMzBxBg(wRDNV~RqMmT%R{SwNvruc03wm;D7x^X zae{L|fhl?23BZJ@0hgSzzIDt@jN;z|lRv>Rdb+_A>ed-@KO-TAM}6m(6U9n@GBH+y zyjs=p#si!hD>%I{lS;Qjest!xM1JEQB9Nr$?PTepvAr93wxR<7CxA4(g;gaWClQte)An4NG<=`Fvt9c8f-vSgyQH7?hwLXUCem%wyG$ckb7PNyLkAAP6p!&hVhmPW z5_v)Y$!xWWVajZx%i@W_0yaIBKQKQyFw4Y`^UuI1-ts#>-|sKxMJfz)zurM6?s|2s z3FXb`s&)AjFX{FW_WsOk$f$byv-PPg(sFyzeXP=#4(hMjo+E^5dBg3ln$zjrwpZe& z%1dpqQnY<`CnzhGqlezLh?e^6P|)VQ+eOKuX7(*%dS2E3^N6}=&q8U`(l+z{ji&xJ zVBSN1@vQq0VeoAi>vPgfcel7d}0(a&L=T2f(#L!_O zGks=dCzxz8UW?<<%xtU3CG$V0_YoMq_5rgabkabqz0&o3xgU+&`Q5x`5ArbdfdVOA zEcRPwps4$n8BktwK^n=lB+m_XOyBuU zK6}1^!GGWo|8?RJuW2M!Iur42gF5K{#|90MSvDj^QEDpFCB8a4l%VR`X>EGFCUKIe z9x+LVOI;`FVF~!9fKIz)kKaHveyd{3N?%7=pC5=FvU_r}B9ILp%918cddfAz2~9kD zh*l52r}%RFZGSfW-n`@%N*dZ>Rmr;h1FLBx5mKuSx`<@4E7hwYmL+frX*Q#5d z^O%Er3SBkpT6Eh^eF0g`QDmF6K|FkDJ?eqGiHomp@}{}+Kkn!39aieM`zbnPVfgKS zCM;4VJIMb3c%S3{*ZVwe_^^QfrTCd0d`lV{O?lASR0OtO2N6-4{yPlmO z938qH;K+lGkUI>)=^16lnC=}sV3%jM_BOy`;gdBNb(LQIU&CJH{g_%t!8}zv&%5V5 z)TanEd>{M;{W(vi2(6$P^BbDC0F#v~zOsYQ0100$4%6gVTqlYJj^B)V!io?2uh={} zAfIJ*<-g~cpgvP;R_x>aEwe?{S0ubn5TEhG8%0gvJHfSGd>tGsNx*KEL*kn&%D6hk~WkNu0-X0gpDgkd5{>Q=Q6 z-po>aT%c`@v6k$gT+=i^xW%JAv=N&9VcAwVXf4))#V;4lI!WphVqv9MCp4suaop3Z zWR}r_NN3zLO}@d39f_hKW$Mg8)pPKLxstjfCI!nf(p!ZhDGmjAG(7fhGgp)$0HXIU zCWUOjnLDzv^$i`G>xonVO19x|ZJzH=vlo5(B64Ak zZJrB81h#TVwi0~|>P$w#b+jT~eiCcShB{Vo`~@@``gjh;=I4sL&wwU0x!CXEQwWdo znly~&0c;cBBS`Wep!8jP)BGA2FE@XU*mRBeST2rg-48UY8|=`EslOVvPslt0YIQ0* zPa#Jt=-uVB)tl2jHa{iHLCkiO)PKjbet+z^9Ke$#Tf3>v!oBy2+M}UVM2vIu@lx5 z%9G~EAk@`1p(ju3Tr1ECy`5wuT#sA=u$eLHMB6uv@$@1E5G{Z+dN}Z>%>ciejI&RS zBUtOd)4ZH%w>hl1!q~s$DEDzQVYN4MlWc4$~ zj(Z65pNVdgZyib`m8u9vqf=q4-;|Lftp;l3URsi3A&>C?xaYyuWo%~O?)e0{;>Iq4 zD^b%IZPEsE5TKj_U2T?JB!yug|+4Jp7qA%fInJa!!b2s zYAeDKjeE48LC=yk&Z`D%qI3P}eFVIdhk7`TlI8%sx&Msrh%Hwaq6hu$fjzkW>p zc=zw)pgSB~^gL%W_?rxoQMHe-f`eM{N>9gB?>pnKHDkC<4m06sj4hu238rSwav%nZ?etLe}yBZ2O~BPaT=(5=$4J% z*2~@l^2?~SZk4`A6Pa)@hyXy7C%*1~Ni~7~6vV-+TXvFGWo;P&OtJ4m)`!{-Vbv_C zy(%rg5I8lkSVIqYdII-cQiAR3UA;7J)R)4oRHLjqM+5@vytHz__XuR@^9?m$j`;1n zfaI)DAp5&fZs>*meVc{frFPqciAokT^R~ijAS%`2;o4g(dbPG zWz|6VB$S##7a<>XZI2G+iN?XUb;AI9y?Wfs3FQGn#$@XXE1cjj+aPm>ZW^fXn4PB9&&TZ}vsRT->cVKAz6SmvC>0*E zIIz@UD2;;ze7YDCEYlZ_zosu*FZ&%l4%js#gGK9(}jpYa!S`6o29d|JQ`Vcqk zRMy*40kZA4_#lYP>XSj0+5r^aNqAXtpR)+roREh=Y^|cpk}sj1%nKFOA#UXMgD6wB zIex18r|Z;d=0;4piKER^&1Q9YawPFpCw!ZZG8@|EpZAwlOZ)4GOVZ}pcm=tS;# zPbbY04d=<85aB~@MH0Fp#T1XzSkTiM3Bg!0IV$mpKSPMkzEJ!|uBDI?ECN1~Tw3HE zS#ZB>Elg6r8(3he&|eXDE-VnkfWL+iX?)G`#-G0mc>UrQ_(c0E~EoY7P0<4C%*R zmHwvkM0+?7s0{X6zYD4ZW8_(AF@BfNQEpd8jRx`_)g1!2yZ|Zig#WiJho8G_gxw*bWXaOjou{){t-tKbX%UCUEK5qQQ&-nh#Rqm`wq+&^f@~)37W%} zZXLEt&A!ypEs(key`QEH;W%t76c+wFg{F)zqwkrFVD&z1PE$A%vYi!+gFg5Nbi0Lq z7l`NPnQb3gdKS~QKqyT{t>3dX+p(U|UIikxP7jaN$>v7RynuKA>GEo3ZRkj+SrFh=(5(K|_L%mzyZ$ zLcLvLe0r5I>oT9eBQ?(Vgcs$o|fMqVw)&jP{s&?oV7Nq|KG#ZJ925+2(D9!e2i!+X*NR zdiwsLk6t1#_(s3ELgUdQA@vG?ulPO{#0?J?sq@P21G)97RkPBGw#}G3bJVF~!c(Nr z2X0GT`^l{BIllJu?Wd=v|qLdO&smFY|yTWKyKfaJVUYyywyV-*nLP!PeBwRoPZ8pZj&PD z(Z-ie6SYLJ0mvdvzI9P|+L0FD>XjXrxFTEaHOyP-lr?+uirAThVS2R<-u1f5rO=lr z3*`iJDST&4FtIe*LX|Fg-aXuBMH~I*7&2$F=DqHA%=H?+<|Z#(93DLSD)mc2#|zF* zj<>v(p@5I7DtZ02g(PLP6_LL4o*x;gKW1h|szbPk{Ba^75r!db0`6c^|6uYeI^LZ! zN7CuvCFh};U#;$f=~mTe5KnhCU34Xjm8qcf_!!07jI|`owfOfVXXI1mN5-lbJf&Ql z0>D@;WbD#|%_MTpDrdDP$A_uEmkzJW-g>jArFI-uT5#2`((Cv-io}AY0mS%nyM$y? z3{ZZfJe(8BLZ<7m;;)+4?K1|@cjy5?s#D4nwXM5!c1Dqqf9WuExYF zi+~YUb3TNTzCF4|4;B6`*L7lv6qRH%W8h|eA1EgWVE}a!L_7+i(CAON9gixZLLUXa zMj8a^Swk2$$_qF-dnee0J8SBR4b?@YNy$;G?^X47tzgeFg=P^?!Ezo;%o>Ap(X<Vo2C+geH%BOBZP~SmN zu3faKi6}aztTm01N8#-)DZOCtEs4lnBa-OD0zzkvUP)vwoW(h5H zR0i7ST~5ce1&*y)S^Xh@S6_+hHt5*!4~#o0x3q$&De-Ks>*)viL?p*LW`5~+P@bvO z;Gblu7#TyCx{TDWysFfO?Mjs9nG(X#eWeM}-L52~NeT)RmFMho<8J;1tCI5#i$HBy@6Z37$}9vUeE zL##{&uWMFN2l|b*QDR)0Xd^=|J`I^71l81O?#_!fxEHd+ebDw^@61{SH>|T`9Uoq+!ebCsxF76PLiQ`TkYuxuxSE@Gu z)2#i*mj#+U_Bg9x|@_3RxA$_5RXIuHCZd)LGb8 zhW*c`Ia)9mc>22IaY?+udwGCwb}6@4^IjyVzGg-mG#Sy2a#FMkUsf?6R=+VveHX@f zcVk3uR*lM*KVk?8g6CH)v?CfscSJb8E!LCMf&OkD`@<()E6+LphJ?#~!;#0Cxjwbl ztevxDY(-9$98J+vki6Dma~5T<*14pii`pQu@gI;k=DAMg=?xTPibbo|FKOF?;9IE_5w>(9BdN zi7gY?9uRN9orsOX;5&ZDU3MhT6LadOb7x+L;ar4PG7eOg35!-DZ-NXXiI#ZD){Fn zJ{~@#BBkAikoCE@7{-+zfG`(%_18pYqC?}o($@^|Q z++-2juAbhpZ^^l^^~m2RwHk}2kHX}yqGSqadRWL&a~Z>B?Jk7R+8hELvE^6<3pS>+ zSA05`_X^$`=R_=hhPF~Wp$6#IjN>a%S9*mkud>9r6QNim+>hNcWow?(13Y3K_h{$Z zNJqPET`OWOck!`VMZ*Z$sXE};4HA>u18rCx1(kKO9ajsMcX2Ks7Z`n6ANV3XMEr3renu9PpJD&Ct^Wce6n8w67q&82Ccrr<$1` zx?Se{#T4nDTo(vd^!l~b`wd3XWYU#dgHdKEB$Vhe8#z7as^EIV-<%o^9Xh=JdavWx zHBI5XiiXeJ=yd{Kp^3iQ#_R18svwjBxx*+S(4|8&3kIOYmFeREukT?RS%atpro4fG z48ut#7_iCUh}X$t_6}A6g@R&FsJyDmJZgUen_rVXdZiOUx)Pd?9v@ZOd6ZNPVUFZ0 zNdy(5@R-ccvr^!K5s zB2Vm0Nmb+emD}XQX(PZo9ghXt&YkI9!|^Vtu3;w3sA3JoU7a2m;(CeEd##<_wsLe7 zUni{;{^dc=WII&Wp6^MFybxBJ6&7v)Afg^Xfru~f1J_eWE8QiS47AE)#H%rzWf$!F zJIc}=sZG@9XW>4aA7_W)!amo#2r}V^#ULTp7D9P~t9oh-xU4f`U@-Htl-A4{<=QXV z<1~z;^s}BjQY&^$=;L-e#H%=fk?;4CGBVrlBqed`+>|MbsYXrFMHq%1hz)>k^HT^;ZiP}k+5s!5dv9ak-yMI<;6GBOPzMr(Md@y@<^fuj|U&e}@^RdF>f|#N3vC z#C#bxU4!1K>*D$VD_PbZw)1-?t1;-7p;h0_wRIxp``Z5K!X#vNw{C;N^Hyk+u&ol>%O|Ju7mcy|%e7r-= zgJLZELYXG4qIH>G=&|qA?Q@M3rm<0HyPnDfYHzsg- z(Qq~0P8=OF#TDQoH0V{A_%z+8!_}s2${jCo4hC_!7FVl-yDUyp=w|(XH-L2KUKhDG zXMrXD2iU`%`*2cuUbZ`ZC^Ag1s6#m!?~@J@PHx&vwJ7$d(Jb1ORtXN)AenDS_LO$! z969)5N;!B0DzFho2AQ=JPQI{=%1Sc|&bE+wT}bQzy_f&IkW0;%jeHRt;+G`e@}eIi z@cwg&XP`vAr9T=+H*`?lg48&eYEaV;zS>dd-gM^Y#Ze$*=LX-wOyrQGJi++%>o)ddv2~1OL6(yIlva4Ib8*x$l=FJNNIGBlZu0J;!86912Yh z$NKU0?HY-r@L4pr5Y<$j1;~tU4rmr_0G`w(#T(8hQ5D3(Ly(6%8rx<51dh2<1s%vi z?LXCojOelER1-fbv3>Ntpj_!JuxY+o?kfgOebr49LTZ`2wSFy}+=a)oH@+Q0`qG)8 zPYEfxDxBf8q=7(HK+REOHWjDUl9oscchr6UM7~(7Tr3mMX|e4|^PE$E=vJ(%*k$5S zdV+J>DA(?|uRDCOx3`$t-4&oCCkQ%$8koJk6$8I{s$M-wCVVs5^x~-geDOSz%DRK3 z8$LZ#;U|-YF`Rld&S8nG8Y4lJ{&wsb;N9w!OgSYk(?{Yz#1GqnRMr|d1FW;>M2BN7e1rBTcgXP>QrcND=U|!Xb60Pk}x7oSA zR2XZq1K?{4txCL4a$Nwnq4{9hItfwaUwuGk`N0%P7#Ov-U7>8kFxUoNcm1WI4tGF{ zTIX!E5P(=;um|I zQ&voKus|K5%|->VnEbF@sxtYn~@ z>-2*^Jo~`^Hu=T=L2Dw9fsPavq=zmF7Z*PUZ$C!oxKKCWg3 z=y4P=`RcH`r}{&FX?H9ujQ+!tmUW){<0nn$_Xq z8bK^D%<-3bn2i$C>!SgV%YN}bU01mp#s2g^4%|+@P`{wrw#2$KY&vV(AkR~3UI?I$ z=Pji)y@Fg}LU%CTmAI6)+AkW?Id+b1vi-AjB9bD;wdr<#;AM?0ZQ#&9Bg}@w&Zte| z?^W=VIqx51w2C1eb!j#VwtHneeTYV!BPSziGZtd+0PbF~Yt#=Tq}-_*YE`Qho#qpF zb5T~_T$a*@EMYqrsq~S8MquSdAgKNM3Pqa*o&Y^d+BYoJf}h3QhJKannlQbf(*S@G5r;Jfsg;-Zyvsrm*2_v zBo-;mtin(2EM5&IFHTb3OUpt@V#Jq-qfyZ&9ze;&d{niaMRT*-jGVSL%98#6zXjW)-ya@t8=h^3OtCTso>-$WOTS%> zQU#|UYh&IaAa9knledC`mMs|WXV83fOc-Ye_t&KjnT*{jbR_TcNbXS#O76DND!mCr zPHQ9nY(*3-=>DZYh(+ZohX<)SB0%>K2d}h+Dyhti9xLAHz~p9pk4m^;DXd;UrEY#5 ztMthltITlB_@Q|oXuum9!}{m_Qqi;@^+MD%-Z#(6M$EN;@|`lM*=oc}8hvftTF05W zYGK?OK5AS4u1-_ixgKo|h3q~ry-9p8Rl_O0uA4qSRVdTBUp~9T6Pm&!El=e7njq!x z_NlLp8qVakt<$h*r{OGxYxaPPalf-t+KS!}nnAo${oSJ@auf08aL2SE;w*WyUM64a z4&8Hds&(R<%M3$Akk;axdD{_Ck{_}^z)~kiX=D~K`w6;1KpEldSSnG*PDK$@n$5sC z*|AjiX35Slgu&BgE;-As)wM4uxe%3?E9pUJG1S|%DeK4cL%aY=E&l<^$4k^0D5%TD ztn>Hd0VnRT)s&KdhIIdEY9+$@b>b-;oHknm1h*DL2f@FbXI($H1K0~oj(u;&OJ#nd z&z|X5mb6hfvRD6+Snmnz0&*V|g_TFZ>Dws`m1{6GSK`!a$^C)Kx$l^Xe}dU&`~;4B zdhDLiz$2xV|2U2>*EKM~;>NH|jVp(i?$_o6GFR4bXjUQZ&oWX+cUIH!`r$hsouRQj z9>TI$#?T;PjNH%WQy2V!shl>Khf&K)C*P4L)FU8(<_m5&PavGrq z0?w=-6uSfChGaiDmvQ%>Q4F1PBs?b7@1*cc@7X>D+9kyb*p!iXIVUG1 z01n8S&CGwrsd9LtO>8Z*wy_aQNCw3N%9^E+a0@P@+-N104P+cTSM~3I3m&v{f2;S! zK0iH55B-=>w8H!!em$-cHOZkB=!(U068fctQnc_#yaTKH^RjLr471w)ZOgN^TWZgS znjxZs8VoZDgQEk^{{ZZ%{RiLIzAi5_mF>F_b^qqS~o}3vE%Kh!lp$I(rl~96EUOc;1m0wAH)jP0=~M%^9RT{ zje1aZ0uW=rp>6ia>mLV{Bf##GrDNc~V8IRM{b8PwZVv`U?h75D_Gka8Q9;wXhiu>W zT&o)UIkhrJT--`{b#~Y)tw zMc|;4ouW-i4Gw=V(5L5a2!D42F46B*8tSr!6tYp3K*SX!zMt3X;UL zxtxi;eFN#8Mq3Q_v5_{s<~Ghx%L|>uFLDVmNgTLur=L%N@`?r{QdM zR~|y1*TZZB4%pU5YxEJ+nQFUGl5$Fy1ANbdtQ+u4sG0`qqXiwm+!!>{rtJ5_t;qQb zFa7_bY}C|=%ysXZ>Bqa()cx`46C3M+s@6{>#W8tuIH-h^Vet2=l``?K7Pf((_s(hJ zuSwX*0NF0;sE{C)uE&VYp>%x~A3@WmK?Z=0hppQwgaGJUjeS}ot@{S<3utc}m(L8& z9l=mTldO?P3ZXmWXqRg^M#|yj$s5hF1U>9>vnwQdWSalLocTsRyr1Bw=$9YK!HDU) zzcEB=g90jQT|<6EK2(hhDLFo%y6=G6SnT;*q4+81Cg`W$R(|ykZKoVKO5YqQ1o+{ zUrlB-KCwgILglSO^Y;JAZne>EJoI&$xPD&Svx(_$Y|6daQaBHrJ9!}a*d;jY*wL*Z z-X4+dl$&dv@(#oTvZNnLNh1$*zYDCfxX40q7cg#g6BvSK!t?QXzqoNxT&p6OdtvSY zm$^K}AT9%%VXMr^`bfZQiL(k+A|CP^9)-wbct>!byp_MU{}yroT3nn+Y)6G=B!PWA z*GNMQy7=|8t>95KkEo0D3Prij)j&oL6$#W-AZg7(qYXx7^^%=)o9N2CFj$39cA5gH zw;J8LU2IgWTF&Oj02=fT!-J;XvHh$o4Nfc*Of_0SVgbm|q(Yqeo2WZl|XE?{x;O)E4aH?f!N&!KPht z-`Q;K&sY!)x$n7Z24~ZiRaGkUIitgQ2mQf(cSp}e6if#QVM;&Xn{JyAgzdqwD!|SI zw!D4rziYjOoAP6hi9%;C`DwNn$5Y5sCr_TX@MkPa0s%mlJAyi!lrGS(7PL6U@5d}1 zVSSp2M+KFl5%RkNRqL(awJ!7(McK$VfxR}}fW9(U4(I>@+71?cZJIrdc36Kz8lM)d zT16&P_P@t0k&Jf>C5Gjn71AMc;-pV>Y)7w}7`=#~|p za>LK&L)WUM+$2Z?&>HKtZkBw*il%(rKGFYMniuqF>GO30@3Z3b`2j!u)cv+Id^G)e zd%tpb^j*3ldF|-2Mu#m9Mg#5NJ&}Kc+L5^EU9{CbtJ0r9A~$@qb0Qy2pG8aLx1y7? zicc>o=xXiwv4m4k1{B>MjnuOo@?+T1o2up(v5s*7m^&>5Ob8S2MoWE3kw79NGcSfJ zMdOUD7R8xn)~B}-q~nQC0N5d~;z{dGoq+O1b{U22ohkOmOFMr-LW}4#q51=$e#Pz< z8a0_mO`G)*2P&HtR8?3zM3HqsnA-~D^=WJPY}OZxKmy3r6>=JF{8J`Lo_nu6){wr% zjdRt9*ZoyoA!kS|JBC6pp;zW^W-Kl59+9f^T8+NmvDFn3!yQ^;@CwNMg-%hs1(TKD z-}`{=@?hu0@AIwo6&Jd>%lhh0bkRwBU>wFUBk984_{XP42Q~U?Cj(0htwB;F45XL% z+jX9jeGZAM;tp=`E{ye~dPj?XT*wH}+l2ZkO%KCp@953&)s#7(qlGpWkUcoWaQSuK z@(mS@O8cKlI8aTx(ak^s+BJ2fdTHetN9u${$i`m<;AA2IlWjh_Xcfd`r?^1zVGSk}bk3 z+D^HAy=aGxG|nD9M?t-%$GX#ppTcAo{pSwE&d^^zQ{G_rp!G5E$9y{jL&7l;jAY8) zTK<9DXnVaLnA)g!&)BV5*>>+Xg{+D22pz(?G->*dxJBB2xMc@=ysz5}bxBhV(i3wf z0?88_Imi9!8pgnKNL4K_t~!npiD+!lBC{fJWEJXJKYs(1R}Tp1Il2}|>D{BbX(Ab= z>5=Q)ZfBIs)Zt{R1V5LI5wNrLH>>UzgZ{>&?o z6j5Fd1*YVWBF*f%g2Pkc{kPJC`cHRp3ceG}Hr}i;QXXag%Q-gb1B-+jtO8-K#Bjgh zJS9@ot?B?s<$UUhK6o+x^pxZUO=kMfC1q`F0uothLTKN-l1d7CdWT`mzt7;1%WV@CGFD<-aqG-=f1*2L#g$T+$z-cnjWp{@Jb@pQ;f ztnx--Scu)Aalfk_au&Z9c79(|PFC$DO!^yyOVUh04nSowp)h8EZb|6qiBOSLFK^Q5 z|29)meUo)*Kx&Grr*2r6a$(;6NLF_>HSU*|4sMsW(*sDbI5Q4muHjMUI0-))v3?he zWtB3R1!=jV85RJsGLFWhn9ZZ$KI??I42uoC-cio$25@9F>ga*s0yD)j1my3x^z}9G z+ETNP*)ys{Q&Q8bZ^0hG**l%CsqkWrmr=kEKo*cg{Mk4dSXn;lH#kELJqOq1GCY!t z@!(mP8@9ybbA8{w>Bk4<+i#s+=Ol)R@P{#31+@r*lI!Y2)j91O@dl6yu<#XO4yi30 zr;Ya4C@r&`$bYMw60lUKT)#IsqK)}1kl!QcK4Cm?sbH}wRe0=KSYmLvl22pzWMcP> zKg*J7Q&TL$_G>hyX@|N+_-$1?Ye)|aj%4Z^I3g-1AD&g)NSM*b??~63L<4%ATKE$m zGqe@Uyn=&Xo&mq$fRW`HfWqem>5p2%=#FIIh`B_Xo?z~>09_Xam>=B(SMMfb!}K$p zAKi~n|Nd3gC%?|xi?=R3zN)oZuD%XFy1$bhsA4w9)+~6?t53P_U3S(E6Fq`F67 zSr|I^cQWtx>&6=N-!E(sj5b33R$e<~Ei_7aY6wUm@!%vCVK_47%2N${&U?@xe6`Qr zHJ*fk+XG-pLo6r-^~?S|!^{WP{Yi^;kuAw)yF@H!6@tdU{0`1HPD|S7g#N04rbRq+ z+$f&K==}qhGx7xOrFkX%u&YEd;Kih$&@{p*!&q(m>(S1tQlODq5=Xv{c_I^5`s`3? zD2?WoX<(s>VoEU~D@HG`$|jdD3)F?{kr^q!!=N#1$p}AU;gL^j2(gXh0DjP%zXw@I z0teG3_II+x0|r;4NB|-GIS}WoqQI;@X)2?(0|DzcV?zc38nWf_BN5|=`|DBsQHNs` z;%#7Ye<2}_3Da*{!WAawnWG$wU_ZoxJXtuyeLM#Q;@}_sdztV-Wos(d|0R5bv^WHC ze58I(<9tmo_M{Gc}3vrr~Jit7>) zJ8D)%q>&9t*I)*2C~`B8w~`9&`VE+A8H3XWR?w?BY^QWWmA&uod%?9o`f*Wx5vKl7 z|6Jj9(|Q2Cmws{kYFb*p&{6q-_BV=2BlC>wMx@vG%rw%gj-&5XnzOi;%Ko{mXOhR~ zx!z1P`$#o+gc20Dl+zT7C5xWL7u)QwqaL%ib{Zb5bKKBOL*gQ(((@;)*`$)C#~eJh zA{BwrIEGgi66RmB>oD750am6~7SyWws}}=}v%RFQjf&|Shy3R^&3$<;ZyyNq#>>6% z!#g9tV7hX2XBrP`@o>SRYxo=vB5|Q$#nM_Xbhh7f?1q!PL5s58dr$}}e|5!@g)n@` z*NvB^j5Ct6?A5jxY9>#Wd)37hY&d3@6o?Vh0hRoT$PNBmt;ZEV2K^yxAfQ>yDeFV| z@ttz4kih4PKohMjNaZUttiAYcQcI!Tim9>t?=D38hf)hTlUu{VSCXT3ShR^C z0vP`II>RTHO!_=_od1S=_gn(@=L-v9q=?PzT6?vf`6<8nzRJg6rYj_IoCD%H8wxoK z23NI$SdslVIY~TTY&XLJ^B{41_S~`MVkCGm?%JK8z)L*ToNb(Z6qX;w^n-?e@eH5l zixvyg-S65F4L`B6>giX511?<{VvydZ9>a2q>j;`Lx2*?tXakCH+uN%A+0OdvJ2+IR z2aPqc>Mb|IkBh+6JDN`+4xjBe&n*Ty1%|-LguEdu+%-_poq#cqOg}zUC%3*X?Y`um zx~E^;GTp2$6!)r7w`NdN#F_X7SVGy?gZgonK3z(Z}RIth2LInTF9iL&*LV02D?Bxk* z-dkho?@1=)#DIShI54;s$Mq5Vnxot3=5zldVo#ZL6~-QuKp$7Tz9F6*wTVfn_2^|v z`*?F#XxowS!A#P`om$bS(9wvU%0H3t$zE=6jgUR>%pBMpt66Zyw?yz~4P;S|rG!j` zWG; zcQj2X3oa_E_GN=Y|4|w#T}_HL_(XYl{1@D*q9$9e1NuHI*@tCtcZaVN#H$+a-eR)Z zpKV`e=jrmKz~GaFrbD;uY5d9iWs_c)Y2)})eNaUas7h5o&-mK<=aTM;mR#W?W7})WfhrQZu1tf~LeoQTl zTCrOPM8Q$EvXHEwN+SX`wULaSV9usTCKVe9=NS0Ps3U5@YqYeh)K*$isD=lDy$K2l zrZN^WFa~&LD?b@xGP;~og=y31cWvS7;tnAeE*=7-_C-%f!YZiH2n&TN*xoj_R>VNr1vzSf~$a>NXZDhxbUKKR7huZ-T1+MhU+*mG}O0NJz4y{4pqEA)&=P z)6ekLL38O#eT^*DLC_s&Qx-cNXqPdSLG8yV$m^xN(d5~XsLPpv9-6KaUlMVNbjS`M zjR{KfqS*7VKw|f_D>H9RS=qZ%^{fE(!%BV>UER&=oS?W8dMhvj@E*wMy64l?*Z3~l zUm^)7n|Nsu0!hF~{nep8C^XcDB=1rv{sa(dyfRp^RfNEfQ4GH=epcZqGppCEoED`) zcjz{&&*Lq0!4)D4No>U|ku>X~^uTHb2i;?(Cuiy8ZT(hN!P(rD2zybIlGlMrH5ali zU~Z5OqY}5Q4JB4j;x%>wkR^ik#zX&Urp$zBdv7Y=iUb%m!LMF&v{T`q{UP5I1CazQ z7G$d`IOnhs!&18{oYbk&P`)7|b75u%N2EyigB%yY^|M4tYT+JfTJE;B9cPwMD+YwD zj~xFAxiB$)W*;hSBrmel?wr8shf<2XORNU*7^Yo@ScIJ%Qe3HJ1g&t3WtDfr5Dy@P zSaVkn<-06^uSk=2B_YRxI=k^wzEuzh{f?6mqNaT+*3dW# z?i@)@;&U)POzV}wmOM4w?|6Dv+DCeI1A*({S5-PmTBmjV^3z)FO1Nk+_-RcfJdJ`z zT4vZdQXj(ccxn6BC?48nWqZ>O0*L+Hj5Avp(x*k3sBjktP1qCT)pi6@!95h0*kToa za&w_ENmdo0AlN!so7YuTLbU0k`o&ePUKnANWc%f{e2=mq9;*2at{LKn!Ao`4lH&+_ zsm%j?b-L34_PuHIXr#G3JlD6mKQ|2WTGh&Gp3k8zX?&SQa1fbhR3tq$6K`G6L<)5t znT6)fr35U zirJOT*^2EEwSl?yZ_(>m%T!=-xI(6LaKanXuM`M_%eQ5>^RQx&qPM| z!%ABF@Q09*1$ZEgqRC|1Y7t|l^A&T>QrfW8s~8@$+k_zylV*1x(`FtmxT;N4v!^K= zP7r89WQ+0_+W^Q@i0u~z<&&4cXTSOPX3i_nCHtq^N!{m1Ho+G8h|e|T?L&9!?cUep z8bXvT@svhP(MqI3Ys5lKAE+M>wD)jur$A7l}-t6C- z`FVWtaAM^A-lc9Dnsr67K{c;rCXo9&5E9I%B#3S{#-6Ttt69C^5ZuT%g)AQ*%Ia@D zf!T>DIkz7RIjLF+S@-?)>7aY60Lhz(}63Cfe6>8Yau4EYaXfYES9TCzov!@O`>!bk7*yxd*3Ln21?V)j-~_sKNCJ={~a zOIh}|YOcavO;+(I3#4asZX*3b_MJt9vla-hM^-w_D|Xo#8Bie1WjuW$g?l6ND4(7g z7#GYqF)L_>ii05-$+(pA1WYHP7A_(9`M?HF2dN(wLuBYMWwWae^#!qYYYi(e72SJL zq%3*n#QCcpFj z-b~W!3v%of4suO=+Z{^KaTr#X{-wVSsbTveBG(s!gp1D9T!;Qq;zIh#VvI(Y*V4oN z=k`QeF8aIhXrx*dkxjZ>M5l0&;Hg16e0@MnqgM`;@P0CC2mHF4aTzaPuL$S`sVP0< zpC^GdiI46K)5!0-uyF1=aws#jpVxlRo6jzTYhfc$1d5YG@B$<4Y%j~aHOS6tKsC{c(E z*H}HNeP|EEe(H@HbiY^B?`6!eBUT7Mim0#SrkIi*ic5Tf;<5V7P?}vqWGt#)EyCDQ ziT*IMVHjBsu6WOt7q2@(jv{Z|t<2OR?bWkZm^b-AW#y(fU+(-w>rN$F9z`7|{|tck zbst{zBDL~ky=Ke$KF>?!^Lc&Pm--;EWnIBONl}w&p;DT0L|NZ-%R%-OF;WVN&sUum z6kUMs7w6Hhoos3`1S2$Btz<6j<#FKsRYYz^(8eU(jI!uJ{c@orW7qLM{pz@8bbiPr z*l@B$#3#ITgEN1EMrRREeqXFQehcEF-*|rGO{la=fu)TGnH&49kDXxb5ZwtmMzOW4 z^bzoh=8Y{z%l}+vOkpr&E7h{YEd=|DX-Oi9h$1?M4NtzL?VFh)9R@~_m%Ph}@tm9z zoC#2HlIzZv6JSr2Z`5_3!2JVs*-(qWKPVeyg(j^$ObCS1c*Vl69LGzEyUY9?^9QS= zMY918Vs*j;+boz}T3meEKSxXY5vYkMeBs!5Bh+%P_;AqxNmw>nzuWl#9FbGOfJc z=K+kBtsX|Q8ZVR#!Q${56>w+UN`^pfAs=HyY+vfvf}4#zxRsVo`N-e0C9PuK?;|qBXge4Clu`>C zF3tVA?8>7zGHj=znOY{*yW~HLlI_a8C!NA+JUYQovU?>*t10&+lFFp-yXQz(e?NQ& zb4bxfSM%z9h%nG~dtswFVZ7DnSG8w#Tb$aB5-#)Dk7Y;jIULF@n;^4~cBBN4@7vxZ z=`dtRO0qf#c+CrGRn>vuu9W?fmu7_kVqHvA;OW#i)bXn7%m*|e5B(n^1-}!IB7a6c z(;gg^B2PDRb2Js&XNcHuM5R$vZ%ehl<~XgFV1b=F4}vzk z_3*5f?uk}1bRq*&ow3HaHDrWd`4x6fs?ykt`0&&|<0UZa_CI?q#$58r8JEoy%Slh= zD_S-O2d6q|VUG#eTF^vz3hinbunoAh)xpDj7P%4)7EQaWmn=0Lp(v}94{bE>*;Uh( z8jZomtDdc6&%D98A9fQ`Y9M)-#?S@f?m)__ zlVD#nl(#jwbf!qL7x`RBvB~3Xb7uQZgmg=Uv+x>NxpQP7#QK_}x@}|gXSG|UD1EeG zf>dN*YAeRj!s@i`ZPj{EhM1xWssr7?c<*_HCK)h@^uR!MS*#*a5XxMLAm8m|7F*Wl z3Efn8Eor@%UY9D$0+(>iRDg0TkZ$h@h3cr*BLGYzC6ZGECho(E1q=?lMosei&x7hs z6|cq1SxfFGf0`!kx#iBpYH-t{07kP!NHQCiYL;)ie*<9GZ#VHsZw^Y0PekPhk29!4 z&CTPC$ZV>S&4;soWO=-TE2zr|TWj0?RiXpQjsA{U-XL{-4`3L8U~)Ed$v4r|B|k{-t*E%Yo@z|}uBG+G~PY}K}o*$@)g5I(ke zr1;recO?w&xXkkq1Nel(e+LEepEm_TZc-mGHe+i0YveTcLQinSe#~*>yv8?! zizpOw<*9q`agWTDPzv3}!R;vg2;CZn&a*^-DG#S2t#wG_)b}_jOknvLaxdbr%n{?y z^ezl}7orq#TH;Rf8GOD|^J9Z1h1TL;8tWVjxq+RPN-wmj%EIXPg{M;q`o4O=K-X5N zj{-vbcT!;&=a8x;aL$V-p@xenk+^0T$qo(S?aNmSt0QB}DfE{IUt!B%%};JE(h3mM z*ZvjXdR)%Cp|`ZLhd6e>llKva5(-6Z^@|}E_?wfC>9J<%Bc^P#92dx-Y2bb#oVT+v7^})OUHN#9VzkElx0(wA zO%;CDYyPEI4sMf1fGFqk^y~boT6ovy3On!a#hJ;+$ZIE`Av(530Q_ED=G#D>Zfz&s zkfM2g(xrB}KbP`1mnyAO-B+j1vTR#4{>*ZpDz(#jBu!g1KAUncE|sT-itDq)jpMa=~|X5`^$x0)haf6<$-mk zS8Me0Y7P^RQYEe;D2tItQM_1DmC-=I^>>(3Cw~*K;xTl0wA@iO(%J*iz3!!Z2JLn{ z>*F-U!;;3qaF*(Hc0EVeaZ)oaS&htVPH!D6WCA(y>sKw2O8bkdx>Cg|Icwv~%V zrgY>s64 z=9qGBx9CZjBD;h_0TYK6h6KDRiJFR`V)*!&M|5ggq|@? z|BFucPRs>Xf22i5`q~j4TB~wl#>4~EX29-6+RNgak82ZmnILf*skKy+mf=H zkMI%p3s^Snkin5`*`Zw`SO^cvZFAy0O|9Ct>{5W7gw;_!w{Dq}p&KMR@N?Yf$zYCR zF$9tpja@6*7AfRKGis|b<_k66Doz?#zEsa7D+C-Xu#_{GN77S&{XCx>oasBqa#Jfw zsQk{Vow?=?&nHa4r*fK~Y{*O8LZr5THj^Lr>zRS`YOMD$!uV%15mTnOFs!T%}!@@{+G|Nhh^oUkgxq?Hlsp(9RB3osw^o8OJJf zSc2ATelT;P+N4?!!R*!?bOwLKSc5mkI#(tJb)B)I%q%l{>m0&sjdT-ff~1U&Hv5y$ zGpPia(UV|EN;Eb$&2A8!y&fxrW)HEZR_<$Ssj@!jd#c1(2VUXjGkLobj%XsTayIujX~CUhNEi@BNg+3v~3{<%Hd ztR+CJ6PBg~_7ExYi=9y)FsGKM251PeE{h6pLKgwb2-ZcN*W~iHjnve=l~?XI`1 zf?Ca&LegbAG&pbl>`-iSkv+*_$p`TG{UhpP203nm>!IIC0BRnUH8m8nH|R*- z$3^Sk2&Bh&B z^weJF@J@7DFIBIFpgPBY+f9?qnm>WnsjwXhipW5>3Vy&=o0ugrkt*>|*GBcyGIFa5 zO*)+A`j$hw@{&1~j0u)qp1&Dy|YLo10v6403yrm$siP&Pj9}#tS7rlY< z7QpotAh=s^+SQhqUs12jO}9`9n4_@OO7(m6{Au%Wjj%)5cji1FtexL6SZOdk#UEvT zkgmrkt_%Gn8z%*LIfP8qbugECyTr9Y`|Ips!Gg0R49?Hj2l8ElSg@o^;<&`R6jW2D zYuO-Te&S5d@{2f#|K{_VjxBU(i2@$;GHMH*e#B>#qAnu>$yspdPU4YO%`8XJ{n4 zf{N!?1;P*wL_&RUy$XAC9z2J)$|jX~avnS?=Ut@BbyUNLcN*|WSMq}y!O8Z8ZJ9M# zhnGrk^8JjGVivK* zY{aa;9iRT;e`3_WIUeRviY$#q9Ne)w&cics^DD7Wn9$goS3>8aju^wGctwJ9vFrrKY;BZ}o}aUl?LND5Y+-jpc>6ei7y!TbJ_$)+ zMrK1*TAViuou=qI60fUi0%lsm%X$H-BEk>M?6s9@jT~<_pqdR~{iTvmL{m!C3YY4& z2eSe%m709bd|cTkJJ(USiIuo<>d`$6P8ok90W`5Pl`NWSiYDS$^Zx`GD`itAJ?A1f z9fw}y;FhO}M->lKsd#0BA^^2)A?#A!>9k$(9hl)!*a8tomWdzD=^7Ng`DOj7H8DR` z|F9%aS5qJt!C)`~c|{p*Umb9h&b(}e;$&b>R@n{8nf}tw1e-sCsY9lTHuv8NW0aF` z4Ygi2pdnjx8#c3>XC@;uZp?Q;Ee~&`iP{SC_z5(Me1>kA6JF=wTtym9TF?m-ZN;oC zV-Idf#AG#BReW`+KN~xJGo0x34(f|28+q75N@vq=3eSX%8r<<5*ka9>9F8#v#Jt=Q z>Re$QC~Wn@BSW+Oot*yGoFOZFeS9pw=1RKe&4eAQJn;pWPpP0^h$5BFOw_%X>J9=~ zrgCM$GvQkkZ~?4)TU`|s{$5USikmA~Z02=IX%u5n2jkj0BT`*mfB{|Y^ucYg| zZo9`M_zG7I{H=Do2L}da9e`||N4aD6oNsRYl*kTEm8u$bC9l3&b|_xW!t-Y+5n`{z z1k6KS_w|ZDeC8(z46psl(p9MK*7;WR;9WUnG1Q^fZ5Qp=lJZZ}JCe6nz)n-q>IsSp z3_~|k;cu^F!+{qqaf`em2s}7J^JM)kMtnd_K%F@s%$S(qD@94qe4l3fCj~|F$_Ex{ z!)G56Bk*Wi4LQMg1+?5278_Zk^)aGk%x?B3UV;}#S2+&FiTN`9zawIZ$BEd&``>+y zZ_@6G^!DuO7QVw@0i@})$FzJ_+A0c-pD8%T;E$)cf!nT7n|yZd$!(nrf60$o-jdsF z;QiQIy_;n7q*?*2@m6;d@nBv?`CD_nS)s4nR!gH;r+sw!JL1|b9Rf_Hu;hOe$4wyF zx}tG}hwcGnt|5V6P?c2pnor(CI$Z#L@BSd`xK3D=k3IQ%0}2h19SH-=bXCRI%iUEZ z>b|jt+C%RmV#c)P#Md*QG02LI}Dwf;Z0qw zK2?wA!2VbGB`Y57){m&V$5@eMPiSVF`w~Ibwee=uqZy5QAMg@>)LPzj)JnbV<9=0! zV+OE@Ma6m=K}r{k{-V8({3De)c*%*&7lu*Tth*e*O?XL$9Z-LUw+#DmS}Ly0epvhC z$;x_te(2NLQLVOfDp|SNU7hT*+&6?>=tx_lP8-veAERby7#n^a_d`Y~DR|XWmsytv zxudEs_RNK!7 zz)-XHb9N_4zG)FVGRn;GipSg&*=vRNFX-(fd6HiZqx_5B@r}UOOE7J~ji?k+^E)KY zC8G4;mC3qK7I(Bv0kKX`#Ns4xj7V0BEs%~JG*_wTP3w{O;aipDmHfTqrnv{EE(7%^X>Tm(P^AS1ncO@iFf)haq zMAW!B4d+yXi_>KijxT5kRD%~E+1x&zPbHq4$A-%JmRA~BlvCY_&fdUQghq|pPW0Q>_J9}SBngkf_EUqHJI&@ggLcOoJ{za%{d|;E4MiiHzldftywPx3 zy_52hZ?$N1i$EPm_>~jvp#Cp47xJrgT&PYaF0a3Bzzd#}XTDiUyU6DFI!4P`6yMij_1UPn4 zA^egNIWGmn9>L{`(!9mEw9regv3~~C0Z&E!wq`-vP)g*I2W8U-2 zD3|0kQG1q(Lty5p%bN*(y;q8KZgA~SP@3D-!OH9y5R27l!tYvF<&=9#@~ab4JKmhP z>is+9SOe{30vC%NEPC4z_1H`nAZqr@bQU|3#wt+MqkABzf6$r4==T*ZtFMA*jo_53 znb8f^foPw?J;x@vBf$;mwzYa}Ww6L|l(cR!Ho52reVe7;o+!v$0i)fMy|1CLeoP)8 zjDS~%^ffecJ(^^EerS6QvnEu3{Omef0zbTw$>8;G?y*Ev8HsSSq!3nXBD3@GDsjlo zXpd=@=n3QXf0cn%G0DP4WDyAt)QU08Fh(aI0{KQCOiYdN&CcXj72VFH)s9iPi9ZPl z&WQ}L%^1>jZkXTTwjSn0j2=YWZ*@@BnEKKOKcw3~O$CnPdf@N6?7w0=>)r5f0z!+| z3=q2Z%Etv9`4Iu-3t%UqK;UuB1p6<92P`O63dhkYr7zBaZCXbqD4BH@-Pgm_{NUHa z)#+Yf5r8|^g(|wdye^uHitySzNTirl)Co8FMWEfk5o8m7dxCtcK(@`J0|i8=nFcM;LD8J#>dCC&BUkgPb?$rtt2yubs!V$ z&tPqLqP>%7#>`hxM;(&|RXAFYmJi?00V!bnV4n0H3w@157}0a-A_Cu=o1=w7JYz4M zO>gifefYt&>m6sR{^^Q#x0IlU^IdZjT$w2PCtvzBwJ(0Q&8@UNWq!|hZ<7Kjj4Zh9 zQRL^JqXc;pSz@VF#l|=8NSDkvZP*KaRHejMSfYsI@Y#;ou`}dS`4qdwP-BO zKe~cGXB$Esk%stc`qG0w<`=x|w$5k%rtce<^_#1!R9QmNQsTNthDXtyB?%MSKS&YP zw_MpmXRD$>PiIckSuN~e?`f)kuwTIwh~Tj1^-?;WMB1OT+^DsEP31irJR;iHU$;4H zaa4=$u}|_+eL8wE$NM6nR?`0r8*=1_Z*Fj0sZbgRQr9ggwvx9x(Y~H`keCgl#ez1I zj4x!U%CD?Pcf(j4P^j{ufkY3wvgWcD3D6lA~ms-Zfkntp}m)l5@ z3frx%+2RI0f4`;Ds;={)pc(I1TYb6!H{`8v{Q# zqn4A&=&np>Wy3g-_8t$Xo>vL*W$#eC|IJdb&-yfG*(TVUTOEPIU1EY)MQ!y`$qB^K z%%VTuh3d-dmL^)bWGoN=XP9j~TF+C^AWQ_Wh9x#XA}jGE@I{wE>i9qNY@M+4+-9bN zSTCe}vM>i^ZS)_g7NqkgUv0_uiN$Q_W$z>d?mhT?t*{y?jIb8%3*dzTr%O4dDin79qQ61lgvm(PL{A;gl;;#`%WNtO~=H z@GT%C;w-)1ChsUIfqW%dK91iU{+qV?xCx-w24OB!2v%bT(J=pFT{ff%>f)Vb=%yD8b~| zzh@po@~gT392!cr*GuD1rBhnT0!;5WeA(@rM4rUg%lG#KxHyeC*?IMXF`XJXgyJ2_ z24V+l0r``!adn`%;C|_@{EqmyET%zv3kPA{E86ZrSQf}qzRH5klP)0|D}RLOkXG7; zQ7(vD8bfoJ-iru~svR7aG?_8o!&w08sA}joVUtdQO z3F{;7QR>sIuXj$1F^LyJJ|5C&2@5uVh6n6FJeh&8uPjcpBmH@ec(Uz)Nnin|Xgpu2 zu#XytcP}QC$#PJWVWfJU%zz!~6Fw(01}}6+8y>tK8!yN~rVziGk;v?snf!Kx*njYk z^jk`N#zbh`J`L^V-5_a)_8~kZ&vQuJ+%>^_+uwA{&{vyHP_DRO146e58l6_4n?z9% z8<9)-4^}d$&6rin!>z0}`PqE16}rW^g|kNq&QLW!RVLT_rwA4)TUQil)j3{d7|sSy zzd_KaK#I1Z4}_c(%SWG;~ zYFMh`ADF6ZcvY-9W9RD(Q{BY`Ta)3LP>z8`svW7+1<)agmjgFQs)soBf=Q!lS`Lt7oraDhiI#Z4K(PM_>>+4E zu+0K#ig%i9Xz_Y0+}BD!qhtS5grGBXMoI4@hHLUucXiAh^L29F-Vs=|tQvmGf7>Nn zda7anlguE5wOy!XDQIdSgH~w`syo5iRPX8Zdd9;^rMJ^O8myq>>SVf<`;5c4ns+X3 z8PDS~ZW%9p2n{jQ4nJis44_V))Y6BH3go^;?246n?uS2KQdec7w3B&qmGYo>qjYta z+yu{MTv)34&psE$T0>)mf0wur&0no{0y(<=PwSm3Bspg92h5X07qUuX35o!9t3G8r zCuEO|N6E^Uol*d?ZSGn-GRS&%kO?VIOZFf-f$QNGY>1Mu0|H-Ll;AKet05TB)`=gG z8P)N9R&hC0yN#mM1eVPj!BrEIepK^2qd{Z$j2!xhr~w2G8~xm5;LMtzJ@0chl?kKePZU7xm7vq zHexCYs@Rc}4{EbG-g;y{1fo})#J=kbCX8(}PS(KopP8)u%o(=#@)5s5m6-rGpXf7w zj+KqlPg_CAU+XcBD`X3e(IHbR<7oCQC4$rPH9TKK*;0zkAHXaJ_DU+YJi9acyz|%^ zKFCx*EW{FFGaE8<#&N)XBq?W9Oc~%QnZORjkwkbQqM=-RLe3*PV9#XOT2&J!$&FJ& z18&xP=4%3*t{VlK!Z0IWQTuqTic)~)XgTN8=)H1d<~ynfCQ<~aQexQ~2=0w~d=@hv zUZ99o1Ag<*3U;75FP#%9!8p{SBjbG8S6y>CV3vml(~+OpnK$_v10wU>)zFYQAW)57 z&6R1s{7e<%2o@W7eZ~LzchoQPro8*Fjel3RTcF*i)j;+3n6la9zGcVvsQX&*^j{7^ zh^{6p{YUthkk?xiW2F1_bJv^mx6$l>P&nXEeUjy>`#7m%;Ai9=?H%85+w0d5FU8R^ zbz0RJo~_8`?r)@i&rUJAy~mbT-;7yIje6x(q}<3XltD8(CKDmPP8T2#5D8`wR~0bY z^rwHJq^+MOSQs5!Ugr)K;-Gh>!<_@Z<+nIDdUQ!mh$V*=H;+j<=+*L!RL_yhnY#r7 zx$5oHbjb?l_wvgHe$@64Ac z>;33Fuwkz-@p+WvjOYi8c3-xLGeMB=O;Q}eK%|@d6q@RUypEQ(#4k^bxf&aIY8<2B zxP=XF4X4p=&C&28s%8VHCR710VP0M3@IXhtCGq|($%Ru8g|52Z)Cfonroni?-R;-$ z3%08G4xL|6HHm86$XVJ&LegCLsz|P40I%>nWl-xm56IZm$N<6RP7)EO{d0pmFg$eU5k6!?oT=7 zOdCqu%)PN)gvk4blZYA-2FV$L#jZFp*A_2=RDCCcib2ud%>zpYmz)vt>olO%D!}@9 zmxjw567C6~cSiyY!%z_8P@UkS-oq$pGQ(%~#$X1Ol{*Gm2?IrH{F}poJ%=iuH)LLY z!hP18_yWmUuZLXZ%h`M{(VP9-&=#{S-Qgm+eKRk&VMul`IkBH3^hjY_cf|TjGGxt+W>KI*Ox~9@eXdR$Fuw=GC#1@151xc*^ zhakOjTizQ@o`SRV-y__=N1rFWvoDxF0AF|81iKDru3d<0c&2Fl1suILrU8STmk{#R zv;Kqy%4(u)9WGR#b%H`SOjzCY`~Ih zg7bDPcD2PDe0lj+K-?4c8c)^mfu~7k4*r3z~$ZpTC{tn+6TVaCC1Cf@Mf@!=EyO;uTXHKzJLkQ zSl(#Aq-hM86iNV>i{&30f(q9iyq(+!sBX|}dcXT917z+MXus0ZvcdWb#4MBU&yu7+ zh*Th7X{nB=>q4&RG09*Uvdkjj)b7C_;iY`6icDsl;>E1bbX)?a&IhaX5yqy|LnKZO z^&b(P3tmH>_}#ZCd-3cPRwPk&khS!Zz*9Hhu6l>OJ+Z zRW~^pqD^RjqXj8+3x1w$X}1_!i*~Nu_O3Hl*D!v>hOSa8hKkf@H-`HTo%)4zBB}_& zD#m*JN6v-ku`P@Pps74CeEj2FH0A>4Z$-K9OLW0g|Lul=^U6hV1BPwG__(3M2Ail= ztN1Z~L{XHD#e&(2HPzw7rj5%$3pMH2xl5J`pHc{QD!OW=GqP?iwz6FQSlXC)ZE4bo zR4UVWb%+l5sim5Iz*NAzDEJ0J_gxXm_r=*`>%XFajXj3egc1e3G$sMq^I&NZUivcsd;0AgY(q;L-C>r zTB5=YoUfz#&j~wlJ)UM}Rl9BZYX(%-h7kTnT?*<7Zi!vedRtLeD~|5UUof=CC>(S- za?Bls#^-;L>}WG^NPm{$U(ohj8g3xlWq@RnXMFq7@e<7sYSDN+ES$XQof)N)wI~g&(hL)uR`wjMrP0DZz+;mBsT(b#{?BwEInroAwnP?aq2D8Kn z2R5*_^M@s=FPHs@GEKoSk_~(~+o64kw@YSchWe9jf+yh_+jfvWvu@~S!Js?m*eumE zm=s)uGWNj5B#4D5>`6B5J_EgQOZaX5LABfIl*vBh$RQva;rn>Q14BF9N83c-IW~8* z;KiS}{Pc4IUz8lv@@^{3c53q9fMwgCV;0|+jgU?(8ouquD}JOCHQU4?SC@KPd*79Z z7zWh8YnOqNKx^JC4jH7&-gm)*ag~_k$Ffz6$z&xE4XFk;`&?$;*Ht#Uo@>X1mQczBMSg=hY?KkzMi{|hB8yhzUfUPG>KMRgfRuPzm}gie zBKUuY=XY3LWm^TistAnP(k_6&o$!^9W_4FN)R4+NZGDMsRD-@)#0@2!U0v{9b_}8g zvZJz~)CUy&k=221ASh>q#jJ@UmmmF{#tjK#zkluOj}OMkU(;2Tm(Dm##ZjA9*bEOz z(YNTEmAWD5!-hVYa!CmsX^J7qS+;lMXH=FBFp7pfkxXlzyWM607D;zX0cAa1Oqi1~ zYjgLXwbmX=uc&n5e>)d!zE4t_KF%0Y9-dvc*_U!)ViZlb8BQ>>K^%y!sdUbQ6S6TPbCnOR$A zRXNGMINQ~hJDzBIN#G33o)F-e>S~R6k@pBVU)E{Z*c_j_u5EPoL+9{rWBLr#D)<&_ zFSN}?+dQ?DvPxoj>7ng>r5;fv%mp>s$@ohz(R9VAS$<4GJAOiAraOxh)##8nxRqCZ z#lN{HjKau*LG*k7hT|fEKsr(Kxx~$B8ROwdFW7J+hEC`&X81zgq*&19RUh+RR z08iiK;9Q#t{I4278oPdFK$-PI5K{FldCLPwMMMKR_bkr~1zdRxCtzlD3A?v2m;+-zXfpu|l^w`b6 zCX#AyWHLe0xB-cVMv$+$;&ouDK$TxW4}AAFpqS-pUS8s9K5j#tz69=DGh$(lW{E}R zc`TSWqs3r(tptcgA!4y|newq|@{7og0yH1cN?P&b)~HNQgm;!Ifjuir9_ZH?JhOK4 zRFR`hGHUe4%4cckYHB0#G%7)I$JyCat&iv*)r$jY@LZ$ULO%|O@O1rf>dU&}j|?1u zp8t_^WqEQIa;~xL)^YRM+@tMb&HbC(6N(Bg;%dy;l2-JWHrTB1D*q0!`1UjYIaQH1 z^Ui<|@=LkIN8TWF&zXBj_2uZ2L%`$VZ28QXi5PPxSNQtv@L;r~H^Jr{uIO_Oxay)e~>Y1^(-cpv@jJ`no*v(uw{M5Tz@QONdhNqoB` zO^{*p4rQMoVs)Q8W5^#~Em;5#fUgkXP2tTPav;HzMORYe^@l+1y!ALqQ*{zWZN4VL1Z5Q%k7vNsgO9p+7Wn2P-;H?oc@Ore zb;MH+p4NjA|Cg2+)y#gdIAtiV&lIMIjio`-q)mDDD$%V5|ENbcq<$iC&i`>7dD?^| zYWPiO(#R*~Q7iefwrlu}*LsnVY=M!e0ggfZo&kF26aB$*NDvS09fv*og2vEmwcq}6 zdOKE`$slY}gvLLj8HEoX=MuCG!z)c;Rl7>GM>^vs=E|s7AOdX4RZho;=K^HJCbJE^ z-93zk5AhgwLU|)y^Wh;1$1&4J;^*V`U0f`W#7#j1S-#(RE!J)K;b)Rvn+rCnf1+}f z4qRDkt~;z%Io#YJk?pdU8p3hdvr9yCj}~?Jy5LN(it6k$u7=3tBVGp1b^Nu{?!Z88 zoR4oh&1xK*oY*A?cmKxEqL0qAL6q;l`u7A3ELIbF2rFu+Dx6Vy}HOClEfWUbMm;1k#*T{4W@; zOK%V~QUpmX4z5t~NMBTIn@Mk8MU?E?P4>vH3+_aAnKc0OmR3vs*U^M2lG`YsgW-Lq zdgR!kyEiIbU97izkSfAvrGI`}X}1y<>|GFLA`1QO%>4tI^3)g4;=3(6Df1rRRD;#% zF|ihY-Rem#sdnW`Hn#p5{31GT@4Q}k=2pb0*VwOSQza6{dSssyT)>1aW<- zxzdjU{~SMwSw7*9iaYtEW#2;+cS)nR3GD0g9% z+8(wM{>76I0j8xqREBJ|DC7Bi@aZk1hwlk7LZg}dQ2fwc1GyCJTL+ZA2YrPdi=hb> zjfod229N_skKUvRV|MHhem9EEo2nfPoBilK#kXRyZ8kPP$m06TPBL8%N`GSz*jjRgDOyG%p3CDQs_Y|KX34Q$6V zYeYqp@w@e1{@9N<=@K7pSF0$LG5V~SpyF8Y0X1JmUnAXi>u1aT1;DEXB*ESjxGSE*oaTP2XlbXoy0yj!Onqj~YSC^N@u zTPo<28_QFU*F_PNt{PI%P167I4H)iNKo1=2AkM3~Aks(kIlC(P|zHXt5EEml!^(V-8a8J#yWnmd8{|vpMv`a~cNaX zpCz3$q}8keKmoj>t5$@JgN2m`HLH8+((;N2@_0oRUcmB;n)bo+>0E6A6wp>++AAEU zYEy}lMmH=!>+DY~6=v`h&Pj|{lM*gHM73C^&6`=L&A&bj^V%WD^Q5_!OFs>p$jj8x z3^}E51GM?ssjpsKadllI zZcpCb=Gb>c#22v)^PK4e#Ay|gW=jy({u&}`J%(0h*T$}9SJoF*wnq*`1Mky%9N*u~ zX*KHTWLP4nFGr^*ujYP{5AN?WMxj3F^i?Y#B^5blk`)b?d9d+c|NcF=O`FT?C%G$| zny}kt-yD4xrEa;cwJ7~VCnpz|^M2qpWuo=>o2valOm|V>*;;L4z-#)GFiHb+2!w6O z`3O-*wvLcZ?gArb9zD`~lExjceB3>&wejm zb_YJz_nc~lhNcj>aO7Lff>t-^Zj#wZw6xYm&Z}Te7mNq#&O-xJ4jB^*izC_BM$-d8 zLs@>Nw|?MT61%+obLS7|DjlrZpmL#r%3+w$6h@_J~T0$oLSJRx)Di~Knmv$)`bv^jn2bCabSf|T~}TSyfgQpw3`47&0C z`CX;RuveCE7w(>pS=%(*Wvcw+$adcf~I)eW% zs?I4ouxQb;v2Ckj+peHu+qP}nwr$(CZ9A#h>eRij-{}56zk8gq$J%qPd8aCBKUKBb;JV(AaF;`|; zUX-kgX8UH(aqy6=85Vzzp_5Ui!=Pcwk7{w`wK3xB9@|c3+x>jXGcSC(bExmB3e@J# zYx@n;x8_7(=J;qeyvyJz*`%JO|8AaOSl*PP55>Y)LCdBFMg$ZdqbcMSTf*Pc?ezcRG*sXLj8i7Pnb z^juyAUq<}>ZE^HO1uM5kD=&OnH*bIZ%OH(`|UC%hyhZyIF{Ct|CY|jWOBxK@fcsVAZgq#yHhmu`bT*cJvG6D~( z=59pA5K(d-*lTQ+!plw?3yOw^;Nnm11&tXQt1JxEsSl30>+2b^WK~SqNN?5f(MUVu z5w(hl0$qdiu@Ql+^&)AJ<&BEo{M#0m^wJN_T#DDU(wu};WmyQqbpFISw1C+!%FNTg zH$GMt2sqs|d+}2a<1IyWxQzT2E_$iWti#8G9cn%>o#h>HUnOEJ-a*msXG8+##kBMH z!#u2#yBVuXZbbf804Nhuz@9L;SRAE4*BVDcOFjSA0k_!!X>e>WY)37$6_?BRpGsWX z3sHA^;Tfz*!OWOBTe+D4^2*aY@8sfjbOv96G;Cn+4)6eZhpP)_hn+OY_4jO3EyN5~ z`%@ln2VomylGp}o7{u`o3KB~ZPd{Lp${uN(!5y7q5|RXkyQT7?sr0BTfV6$C^B0s& z4(>&MJ9}e8F6$55I+go~-m8Kk;9iqlbmc`=U)xnHU#ppWZCQOC+eRz$}P zL87~&AjSCsx9h>GX5!@dCc9t5I7RST(s4Ug#YqlWg|Qh~P7E1wE?8JGkqU-DF9CY8 znq7WMAsg{TL{CzGs?aMw9D1IoF4KTvCfeP3v7x{R&zX65W*c(MlbBarXfT=b=0`JZ zhPY!lqN_XkGF#X$of0&zHDNbPs{pf6yHF*0%NXJGFfFA%g_;=)o-#Pu8>FFr?mAQ< zjjP4N*+Csol8ldt?g`$a14kB7-nVm#K$p*0=r*oIS)@w%CA+q)3d0<%Ao5Fi8?~zo z)?)rZVar#@!-D)n$yy&w(>>CWs^;%6$zk7Aza=W);FzAh3Jf3@)(;k`{wSBC`44rQ zOG)p&SC|+G3UGTs602k))DB{u4^FVbK#VUK0B@qxqeqrD?W17~}; zwVg4TqA7lE7Rk0Uf5LoV&WVEoMx)fE$G`qVZY#jm%ez*o z!f|x1*d``6lpGU<15`R$Yex%;^&Z*N$y*dRloMVOTNZYQoNXruOI-weXxjY-=$ie- zjI9>8){PkIac@`X1cNyop`4t(U&}`~oLTi)IQ5#X?LM_1<@i1MTZ*^GT$52^&Xrvj z=n)Hx3|fV-;KLzS>!3RVXX~I^z)NhYAq!N=La&>X5frJ04=m}wIbMtI(avrf9raoE zH_1Gjb&n~JR#7-Xe;C;op#~X@WiAy=A}WMsMs}&y2Tq}+^72M27S7(JXI5s27>f;&XYsd`BD!w*`Nab+eNbWPNCppQY)84#Q4T@5nu zRGN=+q-6QhY%?gOJ-JksJt$exH?xVeszRTZ5Oj3wR^Meb^#E4`G@y`ja=sMbMhNl{ z$GC8gV{?~R=D(f z_lMKgRN0%4wV*P8@tE5-{2&y>G}|frOAF@xH9_^}%*0IW59^yk>79r#L z8&SQ{Ez@TFo^x)(QfV*uF;*GWVnr_o+V~sZuHte80b?R!U}O^=bDYPBv-+mbX-fUP zP`ko2Zmi}js}onGdYbODwLVphWTtu_446-&85Nt*n}FtMv(#|Jik}MAot#noI6)tb zz-k@Ppq$l*azQ)V|7~H!k=UX*_%$~_i!m(BGxjCf4}I5RaLW=lWM&dy*Ob!JZ7xtR z`hvioP5L|u8*%z@iQ8F%)-a<2Q`!vrSC zHs(y?cn^13`HUU3OWk0x7Z1L9h_jY%e&(SOZVqE(m=D(hs2PjG8NgKtGlDS5P!hQI z8VRf{JXhCdPaNBf0gYBEu|LCtQ^oOl{)b>%X_OD!!% z%~{&}O()FKX&@>Vp4^~RGhd`A8>*x%cf&dp#vp(;e=NcXiwp6S9g}-0VGOd+%}|3yS_-yiRFJ3Qr-X(mK3!059t%y@Xx1!PRLER&p)*v;?=w#z zDl$Bfrij{@K}%2`PbPv?IdM8d+X6v1t&u&Wf^mX~6D?JhPL8>~k&e`t)MUkMqExr* zo>u@^jQy;=ImKg^E-Fo#9OU_Je;9=&YP*}36P$NZLo_USwt`zaI=zTR#P|*O zxVtET$LW%X7#p6%%DU4(OL`+oBz!}zp1F5Ep;J5mq2yYDKPdUMf0oh3NX|*6G$#b= z^7-taxkxjiI+482o|xxnGmGt=5i0txMX1P-qw9m_^gYVFGY#;A%yw|Y6`C;}7Euxu z*_MPl@aEbiOP-C%rGei#h@|sNr6k>QW2YN2cAIfI@f|PK`gyT@WIq`Ah;UMP+;)Fn z`y(l@hks1i9fKTvkdfO9gB*{EOl@{sBHz2RwuL!7HtrK;gH5L2uLnk^eD3|VaRuZP zn+#K=3}}1O?xVq^GfIIT?CpwI{&clkEDs}=t=!F7m7y@)Mf=Q^B$lGN$QRf<5d1!s zhZM0u&Vg#pCL@on;)^oOwU@y8!etMnp)Ce0qJ(8AMKy5pScL}ZE~RG}|GK72jZ#Sc zOb~-%%_M1w<#K}Mxy%IA4U>MB93w|x*8%3=>4EWeR0w;SQi)KrNPI5Rr=I!3i(00eFGeL^=w8#Kth!V zKIg_DLUD)OB=c1dSp|l5zKhZ1Z%NORzuAXK2&KviaSrtl_ly}{Sa1{OSUD6k61Upn z&(u)`D0E>L&9YbE47@JF1cxFJabL@!s1~I+0&c{Xgy3!eXz-?firnUKPRbnTd*hqI z8#ejog~V?AivJk8zT7BV?C0%(EbEY?UkP~E`R_Vp@?cdOvGb&W!kfEr_h8xXOHj6( z30qjSEa^Jj)}~sO={k6r{UfF(tew`T)GZZKXCtiFiK0x*m#oIWx+RU_oYrAQz3%R4 zaxcxo(fS4gbOi${fV=hVmvBqMV+K1M;)P)jvxgN12$5p}xB*cNS;-pMl}um)KHv}rxku+4 z<;g3sg>|=!QBQYGRih*_Dh&`Yf97E>D%*{mno2H(6!luV5&jq$o;epy(#GID14l)&l+ed~5Nn`-3h>Yr zQy6zH;jOxyKwk(LcX5~KbBEUHtro@O^7gJSTsdtdR}fe60`eow@?yu6WNyS^j0PP@ zxNB^*k+Z8AAnV$S92=r1CYdIq|H0QKmX%efkH9(?W?ASC3yLw4fF!5a4EGFt5E&&O3kY9P_)Pq<_VcZf#a5YMNRmz8d*z@bCB_(Ct38jWh)vpw{t7P9jxFd z>BD|~6Gb6qoF)RQxWbAE{V>~m^!>nzB?Qo?G)0uyi_932a?p&s5~C^T=yNI46tNN= zKWP*yuTR>}C6UC5{$6d3;?W;*W2$a%(q)`BeZAQ{Ar{J5K=f6ofXZmZe+YZw_dkRk z*YW>D*l*?ji?I6#re)Y~+5QJ%e`O9@2-pkcB%HOyxXe&o0jNV*n1$4|x!unXoB&{l z@bTJ%?e!k}qrJy$>|V0iQ~__#R9VTRY}Fn$M_YomeDbae5wI_pT#rnu6Id{rWSc*M zFYiRdCWeg@q=PX#ihxYq{eL<3%uwZ)=1`B0@)J)F5)$eLxCs07KjwR1HyINoV?V@b zXhidf+b$`@s% z%9rf%2JvEO1{MPKBi5Sw{Io!e4!6um2=QmIFax6qAa@Uag7twfrrqI8XslF5ZBnpZ z@1x{%veTf%#+dl6g{xDMifddQF&Wq|V;3|uy7t`lq9j1*YJoaHmHF6Ex}2Wa?Fu{e zdVoFISal*d!Lf)8SD0%T=BevdY=;(9a2yy%llqP?36nbR8yEb7#HRqJ>J0yx<;~ohNowI_?}K<6V$6c< zM(W~`efL`j>XUbNfb-3`tEWt2p3)ccFW%kzMX2FeCmD!JO=dqLh8x^}r7C88NVKcpn#tez}7dUT$tl~Np zt)Uh}slCyJV%qIn3Ny_JjjKWS239+WBBJ9Q@wxD5KT}y0Ty?5lyqXKl@jZf+cSfzB zc0>3Xiup?zA3qtt=LnyxtnY=uk5!x?ByN8m?3}(iR2#~N_h_AZGuTh<8!DEo8)0bef)vdK;oIdKTLNmv3W<(M z*1Iut2Kg{2rCn?e%i9OUqg0{hbT2T!y^p)SmePT@83z8zxp=;o*Mo)zKaf23T=Xc0l2F3_Wr;iA)GzVOaL121x0#GQj%k#cieNR8iR6!7^&^Grc&D z1{!gTAM%5$ewqiL+g)l+d({e5A!c2Zxab9+B5)gq3(Ir#6TSAJIIz;xi7;o8?ka&D zj)IfJktbB8L`%aU;#wihKLwJo{n9Iljb*1&FBP>dqN#g`fC@Wlq*?nR!Pyj)BnFGY z+brRp7Y>na`^+Y=m;`-$ka%E~?J zYpCHmjQm$|PT0AteG8o4z`GFrs4Bje_I7o-08;#jWO(ea$()0T+|k6}#PWdLtK&P# z$YZFcwP>~Q-tV7tHa)P2Ytg*<5dK0-BlNWq}BLC|h)C7U#- zHBGjecLfVKq);}(nF-BUG$LW(ZT2U|R&AZN>E6s33fjPxtTFZ$4i` zO-m|#%5c#J+(_B^hR)y;(Z!t;r_oaeB^=p;?|ZKfA3LA;JwD~%bRR1}y(XWJTe|m| zp6|WaFBiU#myb1_Y~J_3BcCQdklCEq#!+C@WE1|obhSNH?4kc-=kf?9t{VD}oogkG zhUnH(J69U>$IcaF`p?d#aMugm9*x8g{$D#+_6OqppM1KQW4%6E{y|Yiv?!Ds1e224 zWGJlJ_AxSF+=vGq+xuO)Pnp=>O!7b6E8b{y{9nkdL2HGQFT!86+7w2@h|;vmUaOYQ znID2l67b3?Q9L32dQg3+aw~g3Y{i7c#{Ku_^KCmsF<5AP2cCBD7=*?6|Jb?MS^n3~ zmEW@T&(4Js*T?!}=koutbCoOHNdB*#3ulxL@H~cAAmX)mA-F{@5^Y zv}^c^PPLsK5oUmLVd58s1IS(c3a^Mfn1STNM4%+Tr(=>`JcL{ysKg|^=q-rHORdVV zh>AkTX#E*# z?Vf^U0{efPA6;MnnjiY!SeR8{$FbGT2YP!}=x*3%{D?Mr(?ZA0d|qzO+LUIen?j4( z=j#B3Zt4(f04Sg~LT+g};%ney(dccx$q8eF@pNe(}Nq$A8)VwD0M8 zg(h1s8U~ogLtF`#OG*^lmf+Jt4E*RGmnqsQC9P33H5y&zZ~LIFppPW}XJ491KRcK5 z1Iq~^C3W2T-#i`h2+o{ZLl-(~PLm&bEz(kt@L<47+@eLfOBGd_WSp*!key%4--9_d zdcD?T#l!%#T{C<5Ym~P2fL%)612MGOn<>6nQkKCfkkqbOZI?AFG!sB5Px-bVBx52UHM|sIeLw|pR1QTi`Gg*vmB#!TpdkK zKLUZJq=O)rB@L1>YbN2|37U=Gn%42)W>Q+}?NmT#Hj;MUWZ`BZb>!b7ksbCFeSHdK zXt*gh7?AM5xi2A6C!tgMTooFG<3huEzJWO8KrY-Pq(E*ir6GDfp2=LxAD zuuwgR>9raWZK>5AZQq2q4b&aYlAB^OzA25H!;yrXzfbgIGiYny+VMvNEwrwcMZE9o zC;%CvEeMIE3jYyBr7Eqvu0Etn8m_qx3v z0k^4IKpy|v*!L*XnZJ!g-s&~#LdnT@&!RNe@1OAG2&vi+m&4R=H&|vnNYP;H{)lAe zb5Wc~=u`n_&61z`!x?n2&;YDP*(5qoc+9!0pk`EGInacc>!OS~KaSHnJziILMBN`o z(@~RAi}1HG_0QQ!E7%ni^)3?u721>%v+?Ic_yZ?%kWb3hOTHaKZa#VFR^I2iCHcx4sQGs2z!!;QV4pCEF$5)!)gxo^@F;zL2S<|sCQj=pDO77G4sAxoq zzg4(Ypt=;zx9$NUN|i_D>9)G|$80m;+s*Tmpb$J-jZlRL9rY1R;;HYy-ylvCz|qJhJp??3)q zOc2sFS_+N(DJCQqO>iJaT%6abnXG8zU-8m2WZD#s;A~jLcV?Hm(4{r=EPa`mHUqmQ znJN;dOxZ4~Inn>8tWdplKoL`7zEyRr7#*j5QfjS=FUFAyI^77#)~gR_l2inY0?7T(G9TahNi(Oyc4}sFyt%%*K3mLD2ftUVsFT+y!+z0=W2XYA419Q84;M zxW81*Jz@-SRuE{!J~uyTLU0(vIs$&g)^@TNM_z9qPsdi417pljH5N*Ql%y49VYnUGJY;EKUqI;}tj zbGX=B_hc>eX$tbu$DBCeCvkL0r4SzIz56dcVK+CD+2*f>d_oBw8D~6i;6YzwMsgY3evwDr|K$cN7Hj0^E6D6 zV+R>k+?aOFtYd4nYeaJUsM4CL8AyX0M|SCeJCo;&s+b3g0rtr7=?5I8sK(_~B;o}y zbMAMIxc?GXNMkVARJ-^UtGCE>K+!`6l;ia6_&BQ^j(9P=3j{-44bkXPN*d`cXprG0 z#)I7E06Y26B^IT2?8|ss=;`dV2p2C>?prl?)rgiq1tntSVqsX`G46YG$g7i+!DUp{ zl)~1IMr9`}+&#yyO?>b@&B5Ycz>A$!OCAyHY9r$wQ9K}zyO~(=ptx*L{CMdnk!8vO z{g)F%M8l}+dv?Nd6|8i6f*<9PlU#M;n+?MH(95AAdcc3fP##U)ZivSgoh9Qn9pBNC zgR)tW#MxONm=5=v)s?snBDx*XY;>uqtU%pY2vtX3LVmnSeROieENxrv(5*=S8QM6; zJT|luShZ5YoNHXcqo!@W*+xNtr|3&;mx<^61rUWC*HH2>!;pcA1vkVVG$V3EqCUg> zA-4){5vGjP-Ys_k&Opm1fh!l>FOsO()fI8$`1=niCiGAGLi&9yMQRX@3&~N{UMWv8T;MGN-QbhS0@`)>d zG}U4`7o=Vl>j%l_Jg*`b$}LS%&Zzs*UzX4d`cTjROW3Jz_XJfw2%2{eeG*#7C86>+ zdnO8^Uvg!rcm`AoP%czRX7=4LuHP!lQG^0nn$h9S0b-o95}&oR3RH({<$%tW~x5rh4^Bjli(aVvW^OXaVcnjMgqO{)oqm+U|>45J7Kn zy)B%_3Lp;G?PA{`3{}>;v0~RlA8xpY*&%jkso)f7n1s8zqwfI)u#v&%Xw&G5<;)HXEUZ2?BG-zzego-=vmv?h$gB4 z&@yEYlZ(5NVyFeCwiYrNry=4juu(@ZY~+Ae>ay|e2wj?F&llgfl9@rpnk7?4t&Tn= z?wFY-q8rNoju9v2JE1PVVd;iY6EK<>s=Il=Vf4G#F+`MShjGZaYEf|cl1tqbQcIuQ zv!62(&?#r8x;g8I>C-qxhTS{w>)VbBTqhcP=8^?Iy4OQ~*pV7PQW?dV<2>*SHs?FA z&vn8KqaBK8nF$>y+%uG<#K%&?!wWgNh!JN1`Sytu2^+ic?nPw_K+HSOFkuh8DL*Ll z1aikN8}Da?1v5x|0{49LbhAVBGQ-7d%Z;c_)!t)D=J2Pjccevwc^6ZvMyj0Dy01Fd zw~6aO83qz3&%1P$DqRuLuZTuWN&wTO!VHj&|4N20I4}JcWvbQOP8jkntc;x}*wpa#+AI1?5nG)weq^(G+_pO2eR7p|7av{9cjqY%fA z#>ooq@8b`6;7B#>*RhFZB=1YjXGuJgp5bN`*3cjya}D8J7+A~iHaNu7PQC)v{fgYL zD;SB+pjk2)${SfYoL6b zC&mCUuzp$d9w?;yWq`Df5uxY9>uYd3vmYA;C&Q4)YXyrzFsiHz4t{x;n93@SMlkJC zQW8=tB^mzoPg)m*(+_E|c4Sm2VVQ;y@3?mkBREB(8t8?VNd=PbJmmm@bXa?c-oQdA zdk`%Js%;YKWh*u=#3Zq71d)(}Y^P|amx+&D+LceTqkX*OVKI3MW&Sg0zB{dT7YXokiNX74vBB(SN+` zd~a7Rg!2J&qG)sj-##AK>s!rnB;ijcpHMJ74VRNhVq?iyk<*8ha>OKZBk(k0cGfkO zn%KmINHhq$00c(G9oL*b2OnMc5`VWl%6`L(d4d2y!m3`Gkd>5x_w0i zb8cdM_zxajmQgLiGA|vyEI-d9jRkB)d$t>VBIf2rRHnzB{&FP78~+l(5)oniOk&nL zj;FAp+w;D#@%il(){@zaJBesNx9fc7rdnkJtNZrpVHR$N4?|%f8bB3dy+)1A14s@7^rinr?_nK_7#+jqe?tIdM{lwP2{=#)PJOVx$5t8U~~&v3j4P^O7;dG;A;92kUOWJ z7wn!2&VMGBGZ%)y!-1?BF^EuBV(WuLad0l|Xv){9EFC~hl>zPxCD{0s z21Fi}{cD6T*b30w`qzB#Z?9Y#FpMLEM#nD5jHq6_<#SzIS7!EAF=l0w&M4y0d?7rPT5mXy5jsPH zJhDix{*b68o~GVc^AtvbS4@v1h8ElOa@UnF&yk~7lh88h=yb**wofsojTL$8oxb60 zaIzzDdgG`Q?u!Fi%Q6llQncpO;1V5Vc=2OK8zv zMEBULKU*QoH-}!LmQZX>O~92RF?>M?h=~3|CqCv$;xGZ3wZkRWkGf z@(p%BmJo`AsJ@5aII|aG!d(aX$-AjUzcK5D5z&CQjaa?iI*v` z7?{AC9|M&wV`&*;_M(w=qyCRddSd(4iHPy>)Ug;#^R7km|->NHcr-h4|E(rgN>O|70-8q<3iY$=zF@%bV|6iCip^LSpRbGc;g7CVFr8$AGa zN=+N2vC$1+-yj)OHk?5kW{Ot>v!E0q<1 z4ZC=nkX~6vQGhFaXthlWFI#RTL?)ALboN`E;X136pJ}B#B}*Ps#uUW4(smlIc-8LQ zu3rW(vlTcRC~Bp@fhX-Arb^?^I9WlwyyjGW{#wwm%= zGUxAL2yxzCQ*+BgISj0zJPPbYtk0c6HP=3@qb6*#Z>&e3kQ%s{ySJW`nW!%tvLb+^ zS^ncs|FF4m%3k5b@{j5G_c*ybGvHhvE#HH+Un2?3p-aGZ>0Oo6u}<=`JjE+rxuaA| z8p&n97OFW~kp-pyuAtUE-XgxnlpMnUq4~`Z(z?Xg7Fxe-v)P7yl8!=ETTE2XlR;oB zd9a3UmXq!*&g`R5Z&0%e0mOKNXn(ie?@jA37ADeY$YjC#u+gX{-H_G=dS%_;!uUm* z!M71footb9rdM5G*g+r31wMX=gcqoL7Vmwh!@6E&c^u|4Wz)Dy;8x`rKEX~Px@?Kz z28Ei|R=4I2Cf0GOdCw)oJ80br=1&$}Hg+-UxoRq7EP&GEu>VfbIU%X`##1#J^~orh z=?!%WR>H&;38{~IEn(~=w={2_qS7!pa599*bRkKrFc7DZmHlYBA8k;yAj7K8`Z)xu?iBVg zBL4+3`J?0821dz;bjwU1FLJcv&`otYC$_W;)Vr2z)$;J`QqMFeaN#uLve4?~thF^X z9@KE-vC2Eg4$VusM8+1A^_?rsrHuP%lfDg?0xoHH>-rE~W2M|$b#0q;N9^gj;#x+U z3OzgZ@POk{F77HuYX-8Xqp54O%qF2@!KuoO!*cAkyOlxG+!(R-zT`G1 z!2PfhNI;{xTpM4>x|c}e=)KurX*&t_QpzpZFPawkA{t6jXe*y{)$eezr%E5A`Mrbd zN+8wB){RbKJ$w3Jmq@(3hvVi-T^p7cu+@%xqL*n|DvKkwKs&e+@56jB+~Lmj1Sj2< zvLN1LVUF(m`XN+XXm?sPiZmbD8VD?8u^ z36OaY9)_Al9hL+yl}Ig-U!EJpE{{9&4U{O`xEC_mAOC&r8*D>c+le>7tHHiS3c9`2 zVDwAQje9BDu-orFc*>qn7Uy&3Stq*jKYMfc>$BOV%`M!R;w~Mh#GVmq7mJvM4V4kB z%ra_+%3%a(F4j9p?M((E^NCJj(4cV9VnT)1Pu!G+r^c>{`|f8XwML;8LuOW&E|!)M zujo5&7zfkncP&8B6n-nbw?l9P8H|SLu=->Ps0a&KL`Nj~Fw( z1~eQH)GVoGaaiFK6a1Qexua9-Em-6R4p1c3{dtgUaZnijSmq9kr)6ANZ8qeyhsTF`?}6Q)P>37c#gk50pRue4ev^j`=xuk zD^J(EOvE3|T}?k%GP&kZBS_jW-ou#Mh^a1S#7hxr^{ai7usD1f^D@z|0ynqZ_Kab; zECx=7FCSZbzeJg62VQkJ6{lwl-A+i%5c6>`M$=pMP3mEa?|4JeOQcTcxFrcWdfp6x zQ@lJMg!uIUFHYL#-bs0i>iIo34N%D&jCcBJlTX*iy@`wbJN26BzN&DbeT(ij`MSGO z{E^&!M2#W2pB8nR?_HzY;8mf!<#I~TTG4Ev{ayaLSl!9#(#|wSu3d^Xaem8p$0#-R z-P2-644kd%REU^I+$XP;Ac3V9!)5a|q6`eUu;R#VePOJSA+d!I{J4~}1)WRn8Vq~F zSfZ5imB|H`jGw-ATYQK~&(Ct)I8$1<#3LL|vmLmtXi3^z0YQ_?eyI5A{j(;XTR>r! zE}Q=6d~zdra1P0e)-A*Ut6$eG{eElvA5Se?xgKQf! zIs)ozL2)=Vb75Ny$+k=Q#Had)66>A!jGlIF%K&2;-|s3}T({jO9}yYk!{gm7=U^X*LOaPS_gtM!WWO?jX_ z>pt3><(o*~_?h)C{Biq~$qSKTq4CE(aVNNk>}k!UkRc*|hhW2o%Mw1LBoLE_sX9j3 zX2Camy=3E;dAQO&S(Vu8P+!FLe;c~%z~h;A*2O^MlW%zhpu=d_mak4Aq4<@7Nh3cl zSkr?Vt;Z8}S>hWgMy~Q4k6M{ng~nFjidx6TpvD}Qygu$CA9;L^-h@wI(7z1rrig#& zGmC4`u-xsSP7s5Lw(23Rf_=_RoYd$X9`(@aV13R=hoiZ~h&&*EF*z2~4z$DNggK37&{0-*|bSW#YWiF);K~yF~PYBiLIWDdZYEjDtB42;LDW$yg;Y0c?vj zulm=UjEor+u|x=!k9hREwvtU75#TB(De#xoVNjp8$V=4inAM%J1eEtYDu?`PB@Ov7 zsQr_#rbkzzaze&-(&bh0JaL5iy|VV2;qbC@jq?i8!Gy(fV0OzTdX#vYl%!qnft=~h zup~%3eY$X^8k^=0%?U8dU6KZ?kl#MNV6D14^&SoTD_~ym|JBKs_o?gFixoOfo(&83d%7yQi?sUqjG{3|Shd z!Fiv~dBDQ6YzZ6!cc<-pyG?3d`wt&8+`v=wrxzoHPlYhxw@oH^ZQs}P?&Cesmyglq zw~NBVVUNbx_cQyA0}1=4mo`6xeZ+^a*}~N!q#`4^MGBql!$;{I*z$Jf+lSx0yK|hV zEKEy*r@vC${UCGUwHWpmPT;)J1u43on~yjLWYI$Bwy<@7yJNsm;8fB=RQI-FKpJ#S zjwAg-C*!LwZ;Vcl;XQ)@3RbG8%De}IAM!F7T$uc|R|}}M5MGGuMHqJS6iiQ6o1UFL z|8eB?TmMs0`5DD>`zYpUVU{B4cWA@AzpmwqLM8s5vMLNY zm2X#!(yFv{V5uEHv{NuC$e)YRU1VCTaD2{LA10mU!haIGsH5!iwJfgdf0PWUaJ=}u zyd{NwwBenKS=Yp37Wh2>f#u_`1~asS312DHlm*6yZ! z`NqM+e6Pt$6h+uNh;W}L@lZl$Y663?WEd~C9+lg}_i%jh2a7idVTIs}Ae!mSZI~)< zg2|E3lvF}l?0jem-oGU89yeeykPrF3I`C!f`wl1&{CfV+RjKgw{<{MPv0NYUCbzX9 zcznb9be2*fSX59s{VpgG=mQ@hF{49)4}vSeN$TUfB4DNMf0ggm}^L;s@R^!$2<`(n#J=m9=8x!(EaGrjGD+tS5ULpM30r=86>m1|?OC5z@U zT-qz?>Z8O0M>c5PWYSkdo>tyYB!I^tIII|K z6T$m-T`dB^Fq3HE<17z0fq9m%KMT4q0N*f}6f!8?j}$xiB?p(3Y&pO9EquZHHrtVo z1w3|YgjX9sCt>t5$8P}+MOCrsk5<7R_Ep7jn4>RwZ<|%`6NE`!fY%FkJb#R0$=#iD zLsPZ#Y(bmdg)|Z?UI7(ALZLXir;`Cm$ZGnj59VrN{4m`ja`et;Mb3L=60c|bm%hcJTCgh{nY)3f|ISpvggmz zLgwdYjdJnG0_x|+y`;jKl6rjEo)BS!|C?abBcqlz`E4)IKO;8L(sW5A=$V6y#Q zY#3IJ`%^6sBg`Sg5=(TPNzxAR-M5fXe7vH}44u4P2uY*-;)bGP-`}&#KpG`W$4uGv zZ3K3I*T6}98Cy1}jrtVR(&r#9XEkicbaqpF9w~UzlQKOowkgPX;m%Rx8F9v1z7-^2 zGVACLzJ@H6YRJ^my1Se%hwTEhAz;xV@_*R6hwxCkXkFB?ZQHi9k`>#wZ96NrZQHhO z+qUhKf1l^>=QM7sI@PI0&6+jdF}{i5`(o|j?;71un|;=koG9flnlMX0KyH|e^Y!g8 zXUZ11lUPN5(!&N&&)V7pvz2tgsd&PJwSkwwn#6CN^gZmrRw#}^&ZcGyRDQh z)6K5m;EM`!2Tx(C0X&_N!b4Ovo%}8SNOxP;Al?278XM#V3P;6g)6MxA#RJF#g^~$t zATlNC39N(~?6v>sJ;kO>#h}Cpy1fWe^WdWtEV20~0^5zKTiCd3AlEe-zC$Ea;k-Ny z9<+jfTwb;9SSqS%bcP?+ZrLm^Ji{|um-gHJVC!kZ9=1N?G0axk-ZU-{OAWmRZ9PjE z?ttn|2T(F9qY)lkAggz$48sf)vRb_sG7Q?|EYSD`1l6Evy)L)235TsVnamhVWYadp z1&1EB?mDtUrk6(-6kyI6g9~&q9(3#5;g0~>v5F0Wka(mBxLWiM0@{%=@GX0%>*0Yl z2SE5%a^&<&07ZB_a&SUKX+Y#6m4N{AKU7AAVJ+%j<7l+7=K`fnJ$e9BVDWgvLRG1k zF)}2Xd@!@P<$ymbQkN>4;PQy95 z>z*PFzWp*}Ych7Ie>&xcO-OIr`PFZ?D%}7^@q^*|!OkZo$_im5Es&R}FocJH>^T?_ z8p=|R<$`{XPEG1B^}vkDmn%^ZFQ96cPg-D^FiQ_)3Jo4q9Ta*_Y<=7JjWeA@c>?a6ehdtZ7qf@N?imw;LMR#F>;pzm*+F3nT$ZOjmPxN{_A*`? zX-GNVc7(713eun6F6Yq9z_ZuU>Aq?XpGKIwXa;+buxL3}I;y=YT9^R~c&4NPAY*T@N4=ZTGtUu2?erZ9tttgxS{&RXGku0QDqtBSAX=ZU{i?>i zg8nQhQd&6mR@7sh$X@L~_HY(dKPzH$H@7ZDmXL90v3qeNPkZ=svUvhgD--~qJ0!mF z+COpD?#gS@B%44i6wsgv+<*OG!%X}2j)?APjYTDg+uy$r8)3M+f{=%R1r#C}%iG#u zp}bHk^yFiN>eMCi8TrO|S6iIG+$6U+uN$!kDggtL*d}?zMO0M&K?dKlC5PEifNV*f zuZc{SQLkJ|#kNV09Zd@-amPyAC}X_67R5}N6K4nql71~BEDkmJKixI0whd-L(h(Bb zMc%qcs;e0>X_8f1)}tj)9>Q7`lFalDkhCEntxq2o3|aY^d-(Z6GsFg0>ojVXQ+e9= zy3Gp3CCA^gD$<+CPBtV)@*+^enulK}ZjBEC>9N8Y4#*FP#Hb}&oeqal^h7;j+h)PV zu7ekA#uH3FmJnh>jSSRf0+7F~AhW&2cv;}TEp}6CmgoiuE!e)0JjEIl`b$o4r_5Ku zShC%fZ(UoPZq$D$xBs4hoSjDN`5nK-e1{mSW#2R0{F68uh~R6d5_!u1K11%aDPcsH6WCJMS6`7TWtCw^H#0@>zJxnQf?!}1SEv` zu!^}3-6G4!OIa*}DVDY0(6~Kdtj_Hcni4c2i#^RR!$~+1Rh(*A;kr2iyS{OghfnU+ znj3t}?tY8^a(waUqC(X52%M~SS_@j{d+%_5VB-WHfVu&$eFKk8bUkfdI+j@jrEX8Q zkJs}72Y=4d6idmio8=_TOY!IC=bNvTU%OTRc?e1%RYdaN@bb+dx06ehsSC}?S#0P% zWtPNfVJYjJxnC|WHDuvr4kXfd;?f8im`P_fbU zBU#(=G6_Inm{uS`E)y|v5-f#Y&l{T2i*yJ*GIOPT!!kLiS(y!OFo{jB;Q3OlbDr2z zIs4+|Vd_MG0RFCGjhFAj<0|Ev+^$zzAw|kD9Cy?1Cw;0LGc&5Nw7Gcdmj@ieDT_U> z7{fGKxCB}obSg@w?X!hbt^}=1NlETx^Oc-@+LaqM)WmovOp|IoL{tRw#N5#k+2ELD zZmJDU9q7E+dHdg_QPwJ_KxsyOmqO}FSjGhr)6~I_CAV2BuEB6A%J%lb^xDW}^jt-n zV^#BQI$>NxviUd?VW01Netr;_P51RsUZTxIDfWzVtOT=TZh2o;Bh}fK_L>OUo$<{- zSG78PDv>}tcDuTr-IZLUxl~RF<(pQf8E1**T=R>x%D;`KhUJ&Se^-Ssv%>aMvQpiyDji)! z(>=8GknSd!))K>f^9H-???Fmh*zuv1DVU2UuwVq2E+K4!D%$Uve;(jJ&OA!xS$qFW zY&@zpA~WyZzBXuEgi}OaEozQ?ChE@BqkrlsLV7E57j;1fE5787m0e+N2s%ObFw1?F zRe}O=x`gY%3vl4+^is$CL4?}>S*g+K`4jj9{0TqUJHe+;-;ph*{zg9XV|)_B(KzEx zyJ7kzCaL&26X5k-GVptI`s)lgC52j^O**dS^V#_p_4tGnV=D95Mb@0QY8C9{d`r9Lj*9S9HvXb^9|n z;q`fQQUe#QgZbGL(SNj$5<7ro8l7*dzu9}rUx)w~Q`Msg1;{xQ(4{7nx{K&*3W={^ zNRV77EAjeISf;m^OB1F(oMCU@%St<|hm)`E&rJ`vyQj{=KXobT_kyRoCuD|hR%P|^ zFo9}trcMc4H)-$+l0MLgoeU-6XitQx)Wu4pP$_3NSa)~tAx`l%y4tm;qcO@2thf_! z=#>bOk!AgRN%=ZRU15hCt8r|uW`q18m6E1ALI`(1mZr@pst#q^lXB+{t~UMj7O9V7 zV|uVCGAF0CNgDRj4C+H<*(9g8%wrdhsjp$5ksy`I1m)A0k-fqh!|kUazCl;|lOpG~ z=Zct(ckQo$F|zOK>)`Ae*R>VJ${25(KNj;5~mxaT=ZDrpT&2xWrad7dDPk&Ot zXL7LLebI+ze@YXpZEBf4ekw|CdZ;|UFN$_PzF2flU4_#{!eqP|fEu4u@e+Ypg|w4>ec1DDYWwV}OQoqD!{x6ol%;h2U zdfZRu&pViplm$(vv6<)Ef{d&!7{`~kivvfTSo!|@LXl}m8Xm}5q~E$;z>tpY>rF*} z@KY5_F*1PzidA<0hrPYx4;JV*Y1Sk^55VyjfHh+&%)i37{Kxdn&s0ABVA4G35)Xt^ zdL0E6C$^r`mLHGjo>7&jjvJ3tyQXXJ2k!Pcp-=VWkgj4l2~m@4==qYc1_)f9FL6I6 zy{sxYYg@(!<8>yWRj!tX4UmoN94#F$H+$`S#1L^9BW85qG-44#kwY-1VTN|`QXYCe zbKJ2anth-A&)Ju%4@>}e{gE^w-BdXi8x|{&+Sjn_;Uve8v3BDy+y{EPL57qgr8E$Z z2?{oMVc(mSd7DvRx1jV)j(%=#-nardESYp@pmVvv;D1D(;NEGn^w4((0VBGd(XKdtWkQP6lhcQmM@f{emAZInjse zr`pA^?h~mFhEythFyJnP@cZNQy$dJx2Q%0TXc)!?%{u`6vnLGtkv+*Um(-)0xwTnp z5n1y2n9Z7Hm@T#<-WL!nw?T>+(aAW|?Y__WT#laftpFvsx_ zpfNA=KJ!Ot#yL>OcPL_LeDm8Y4X;%hW$xCZx<;Yu>{_qxCX@9TyR_Q)|6^kq$NbCp$KlF=A0 zw}f13A4?=R=b;7*WK)!nVYXtq=lxOqpo|W>|^PlFgFQt9zl#Cg`8SD zi!p`|@zzPiO8B|Td$Beefy4a~!;XqhRho8NH0aAouqmHGpobokazsqGqF4$gLqSw^ zZj(GIe{+fiF%G}cR*E8BE9kTs_Rvd4hqv#|7w?0ONh>PWY0<`l(I|5h)Y{LQGb`vK zG!|VS^LdKHB6*)BE$sqFM(GBPm?p2$3X#ZLn#FCn|Ro>drQ zx-wfSCKk==G5>Mw0h67K+r5*gj*>^(9#0FGcidC_)d*0=!LqUu(wF0{@jU^5>BhOk z7Ig(vrSAv2Zhu)?R#!tACfm_$1QR^2aWJ`KNpBjqF zYFl1w5+cb@!wnukbU0aM5p2S$w5TmNCQZzHmwz;`-uS!j(Qrl%(_!Eo#;szO$LdO} z(ln*rjby<-|6`EaCYa0$`kjzwGubj5WV5H51@DyCfyvinSF{kZlhG zGnVp<->rB$A(JsN=;sECxH8AahOP!#v{@?FJ-)VK5{j@`EVg*gtBwKNQ{Q;?U@F5h z5&Dhh+j1eR9k#y>7hki$c@u;osb+Jv+p6{yxd@;Osem_cTr4Kev|HiNXmDN=P1WM8 zp+0Nq$!KaOO&p-6emhZI`rpb#1*O`dD^0&vFDarGLxfJzq{N*{A|*Lt)+UPJ44DLU zfc2-5p`o&WtXE;w#7XmO%(oHDU6VM#X+ti5cGToqzRvI{tt!29OIL{V$)%yCIte*Q-Qq0Az#&rHEy!FN9?e{)& zu};Dcl)7Y0kkeEcUQ$l8%RDDsT`w&?jj=f~`*CAJbGRWTdnhEKS|g#1&-ApH~LuVjVp6epo6 zK-zmBFb1|7v{jJfLg5z||OlF49zkG7O!kV=mh2F%{cr`_KNGxXN~_LO(5hc?qiK8c_o z)gz94DHr&(@-aWV^_EZ2=TALCr(32tuA+8ov)Kc+jE`!AGCVfQfvJpoU}Q9UtY1Kn$_I?f_$Qa5RAg0_hc>pkxblav!_d%LRM^Q^{OgT~DEhKz?24U%ip~TeN7#9li`BE2>ZEr`XBD$fsorpbAWtLm z8WitTIC?z)9YF^of)HcZXL8M{%(BO}>IQ32OIz#{D5N(6lFR0^O!(;{_}HZ3k5;$x z{LZ67R6`9U>v+-x!3}1yO1cJMkR`E&QEHr4v=ds%)${;F!k{bsBPvRPT)kUve)eKM*31|>c!pN*NH=; z;Q^NjeD+D>;)QL#_!X$JHA9eaK1n*i8#$H%0qZLpIqEB`^fQY0>#53X^!{N_G!8fu z&E(#%1vmHU(gWp=c^d418HZ>EvjV9c6m0T7@&?T5X|a>A-K|Z>cGrRB(B%IFqV@?d z3(ioAfD#C75K92ZoJcR-@@ z(Cq_RxhBSWK?}ya>kqBINfP>MsP*&ihmqW0Bu~w0W5$f}iMo=@rL<@)72RK|yj4F+ znK$l%m6ByQj}2@Ds#6JPafyX_jpQ}anz5I=Sd=d{l3wNL!sT>id-G_vXN7PYc{eWJ zs=DMFaT63kF4pPI8a~t0X9e~zrpXEn)z(J1XQcwp9hRh70;mvrQ|c%IQlru3X&aLL z0QlFndzKVjzA!)(XZGx+>3F$C=o3c{B^&YzU@pZ%v;vdQD!W}n>I#@#lq7~$n=LQ_Gw?OXtr)l^5)e^%I2sW3?3I4mV& zgz8#kzKkr(&Ts~=EP{OVHHvpWLAI6*|8llT6tB_EPF-jkB1O7|?<7ASiCIgNM&LG4 z`<%6@5ag;;l``6dd!5c&m)MKpjW6;s&uUxbod8|%i-lz^`0=mkSp`;#m8p@yxaN8h z3GmtoWPToV(6xeMN(85{gT^^d`ydtYMWn7&rxnpD3NatW@?!K;2dw=<;`AzR8MO;t z_ln|$-j^ssMK@|!pen!#y~<#Pi#Y3*Kum*O6w*knJnK-bd~oDAil9hbY_TCzxTLp} z^<-;qQVGw1A;$}OL~juFzn(aKW+MGK&IEkCmrWTd^1wyyf4?auQf->inX|6@9$s;4 z9XSbP8bT3S=A(Fv=wdxa$$3-{X&X7D)btm%W$hOiN-OtU!QtyJgUs9p@@uId6O@mC z|E{g(h_$Q|0pQ3BpOPc8fU}tujG-RbZn#d7%vDhYzbjG(zcVlD7JI2L<|O&M0GmyO z12%%qV)0u7SPLgu2e~BE;xv}I8Q2oT89lg|l4f^S8O3Ih@-nammk+ICU||o88(6_i zMD%GU9oes8SSZIR)21@1h9J!|*QlT8?ivP1j-VlIkJbs2TiH4rt5w7ss8J7SSX*;~ z3E$l>)vI9bb)Nja>{RSR5np8ehR3~HM1>`_c2VcIfbyA(nvbh9kSQ$^m`HOGPiI_C zb7o5G9T|3V*TACr_$cBtkJivhy*z`o9F1KVjm}gR_2!QTtcNWjFT@hOgc#M$vpg>L zv5H!jSZccdSnWRakiQcCGj(X~^k*RB#kywZW}+81xFVo$Zr3ifvG-QoJVI)=!$W1zCc3b z_Jq(Nh-s80l9QI3j_y}Kpu5I)p);S1kKMEu^K7lJ>jaD@$ITZ$cLC3zK`^XD z$57Wr_e5?I3HCHS=M=T0G%`ix13~LW0*oX!)^xP_7>sS|YThZDAb>z8jAVEc3O58JhdBi8mJ`jC%Z_k)9J>b`GUr;F@#=1CtQVpBz?Xj6GQ!uMLcW} z;()E;xA5Zps`b?Q$77@LCRo`G7$|Raj01(Zdqpq-M<~dn0AGk56;ikP)))QNt8S;m8GB36oQw#3bG5r`WsEOQLJ`@JQ!zHVdb zj<#6QmI7{z5UbT&Wicmzb-gd{KWR-5U!s2M{d~C|*luO%z`j{o)->Eu!~7Mk;`&#n zS?e%7JSssJ!U3yBAUlt@)NW+yr(0#2?Lo{D5~mF-4S&`bzJp}PpWSI-*$z4v5ZF`P zdqa=PbyP__^)qVZkY6gPhsHTl=`R_wxu+_l=u)|)JJ8T0jkDs03j-|w z0$|5;kcw{raU_!HMFpUe&`N`sr;C=ZD3%81Dv&SCf|4^juR|R4SJP=lY)g~&gFK6$ww1^Sze}c~1(#6y z%U*N9B`93KDF@i7n5$yDHX5-zKPK?4%}ss*72xhJy~ZA%Ub0Cc>xES02H~bq-5YPE zRE1ZCX2Hl`M+7A;HXTp9nS9u=s5S)1JX03peTKQQIpLF`sjEqj|71GZVTbnzZFzAD ziNoOSa@c`d3teON_e-W?h0q0M$-Yrr8pYf&cw+KYa2iYxx3-x3eHA}!i9(&Mp5HmM zI#O1eNxs%T9D~^8H*T?Sl5ieu2tnLrxWrOijD{KFzTG*<*Mi2v52>>L)hiOd_LJT( zKfAP8=G%`p4?+ro*jLh0&C5(hy50tCcIXe`)t zms%r+bYhVnL+Y0iDrs0V>76j(kFgG(OT?7^9Sw*omZFP^vqn0)SWYBVE>ug}a~c{y zUq_uHZ4O^5a>G@JsUb4=dN@w+wigW@#i|-xhpi!tfF%A9znn-mpdm@EIun)8go?*< zB+mw=0>5=54$UgAn;+d1T2BTdjjbnA`U%KyW2Cljfs5!H0z=2vva+)mMux5E%DS_{ z6ucywNyZ^O*&rDtJt*fe1J=!Qc$*W!fQbMc0E5A1u#Cc8F(*31cl}n_vKqWRA;kRRRSS?^?7Mtwl*sSgO0pQ5Y z9-$QLs6Rpk@GCL8xaK>QW=B%kSGf!GTvcqz^(bhRYUHsb_PljM>g!1RQ3)X)m-oekR>ms%!eBE z*BXi`$aU|zyFzAc_q`)6)sK%d>J5=dP55Z#HlWNWDv(0xn#lVpmvpX$*K zVU2`#j30iFs&C^lxj&mg^0pnr60=0J7()>@ceEuzj0*Sa8m**=>W>w+=%K6bE4&qY z!=1B7?9GRM3=3|z5`-xht=CMi{mdN~AHW$a;W47u-b9xs%swO8KZ-r!lp44SuQsvd==*;#uj2{^!FG_OMt#jkR3YCib3oDhu)SN;`d65a>aau~# z8)9^a2BVe1WLWXgezPsG?Y?^l3=haai6B~MEea4Bz!fpeP{t8;@Pm6!(h^7^K2-rt z4FnVmo!K^lC1E>aWq${31j*Of_=1MNyaOq!44t0sI8nI;^|_}@OYOb!sK?Ktw40#5 z*R2KgmW&$PMMJ~P3l|%SlUr4CE0eC;kcCw1w}No=jP$zD-(;{u926n3obD%RAswRDK}A_MGq?_v+3xdQ_t)X#xacChrEu)sCkdhz6Q#8XCD-fBmP3c19`aFe%L zGzLgBH1!dT1g2SZnYn4!C@&EWH^hM1oC@Q1Ro{rp$)9O^t4UzXb}1Ju`vw-NwIhS| zonv!}fV^H0yVmU!*x^1l<@>jBLA|=uoD&OGExXId++EXCe}immR0MRoj5^`b{WKWg zs+l}M)SPWY5}=K2HOLP~ z)~S=hZ4o>hLaB9z#c}Hb1p03vR0r9l8U^Yg&~U8dZ2V#I!!{gH2E~v(1$EA{X?TJ0 zLrG2t^>Fa=Jmf@%+d}kU+p&s6`2PO(;m_W9!`4`kSD&A-1{W2AFB&JLk56U@4h!s6d4#ID66N!9X9SaMj z+86NpUNx{XYO&y2U)R_pggEpxs9k;+F-RHUDh_y-)nz13LI_Aid>2tlOV47@C{J?w zNCSx`(3`*>`7+-SxUTOmWS=^zUho0^qH?^=S7^9Ux}(Z2Or z$4(!0;h;Lh?E`?%(YW`K_^(AFl_UO>0lb@GyTPVEduP)Yl zg$b-CZn=`h`cU*kRIXfG9#n@fYf_@wfu|`8v_JPzAaPIqy9TAGmF4-XOsG2rt{WN% z*;^~?KsgkENS_eB@ZQU8E;r+NfW+1-9afuWGe(={)e=K|ORxcnt;qed){NM8B8jaO z{{n>Mzfl)VPxmrF-`_kd#}FTbgma6i$zB2Id}x95s&MOIup8_%vcryiGMqKaLzDTx z@V-$%x=ZR@%w>Fn147|I^j4VfFse=;PKofT$c(?0B|BQ z0v6EjFdAOPK3JXXBu6$We@sn@1$tnf^1ql6Jpc5`nK3x4M%Mt5p=fhGTB$EuQ!#O8 zjjO~V@0AfbHzP$9!|5)Zv!gS_X?ksrlf(DKZA4#{NvrKZsZ4-1cZKZ}v!Jc}KUqRQ z2=Pv=Xs>lOYlRk1S$$`WbY7K%G-)Z5v$qE3y~E_#>5#uwS8sepw|EL}nnz-& zPfj*lH+DD(@|<3B))1XCVc~f4KLRP3C70m4z;wU*6BG?@_{pW0!FrqZ`g(dgv|!ub zo^^H41dQV3eSJk!5#|MMXBUWg_z-;ljN%wS+$MM$8`eALKl?S1_IX*!&ajcqsh}#9 z8_Pj?BVTjaXe8CRlx!f?$gSqjIQOj~)#ys{F{77rMFmj1@ywup=aXINj_U@8pnrCc zLa@ECI8OT_v(%rV^RqES!|FvaoX0rjHVCZzC_lm7hDdGY>eRzxc| z4QqF)T_4p(cA$C%-?t|^uj&dj3M8dSQ-vtHTLkPQUBjrgS5F9KFfa|rBoD8N($iQv zB)qLaY)jQW7xo>LmE>Yg-V1r%N60Ymwd6Y}3_DOs37=HziHL%=mQi%reVw7czHlTu zJ@N;oqr4kuU7NMyE{RLQ&)@sc%{o=nxur3II%z=VS?)fvC;x~FjtNRC#e9DR;O$%l z6MizWpS~mbApF$(248&62j&u|K+`SDZSuqC!gnLFPf3}e&+b&RHW$>!`we48u{;`o;xNz?E*Pux z5T@JVsyCot1e=~3pzI^CMe04W$?8n|9 zna}y4Z>t4S;~*yB&Fie=&O>akaBB`phT{KKVVKxE4Boh4I}mS;L|IpFh8!Mo0%g+D zN`Md7YF(&vWw?9O6i~1R_mjYlq+Z>G#LSs;ohesXIT^vQ$j1h_7d*S6J`YvB zQ=rOV!-b@Q>qQsmPU#Zx##kuNJRz%3ja{7R7p0Jp24htPgK#8Fdkx^1h_r1-$48?G zD<}w^sJd`rO)W|nw~hJnLlWjf8Y(Cv7n4^YlWYG9q|}P0_rAJ&Kxf)9xl3iO*N^26 zg5jS`Ul+umgCq{{Eu@SHbO9xZoqfcyN@DehiQq5j@j+7|ch}Onh!d z*GiuKO~?|nP-p^;Cm*w6MO$2PdDiH58w7s0$Z*!7ITz~W6?Oc*X?6%MWh-S3cSf`9 z*zbp=ySYVxWh8@X=Ut+VWhFBbY8c%1UjgPz z(08GMtwrU^Tt zUfwJ_aROSGMS*dKo;W3uv~)=3mRf9w-Co5jusYkXMEwb1mS!Vr(e*xF9Rok@(408* zd9e=M?z>sXA}xBj-na)n8Qwr~-~9jd-yyhgBm?olz7R>e_qU15!oeXm6Nij^INl>b2$nwnG8P%HVz1ARwK?kbK=_J|?s-O5Z zDlIZPypo=@4jS#3iTvzcZ*7N0>5JAdl!KJiT&VQg#MS(fw_zjb*Op(}r+{iPY!>V? zG&Q69B09ayH_3pl*~9%P>Kb|5t~?kG&(;$#Bm5e{=6`=j34W`+zhI069ExqHsRHwB z#moPpF?Bjcz{b@e{kled1mSvN7nj1AdmI)4BXKZngHGmQWZwCMZYm6_!Wx5w^3`89 zn63&O)R)BiXnNsvT{cn`G{FA#1hF5@vD;Y-R$UtlC}A82<_n4d(6$q%f!nwNUP*E{ zWUstz8fOWXF~<5Kl95xoOGP+QR^^l^L(6ljDWu$|QM{yf`-u3a8sn!YsVsMFwAxxp zNz*HgRx7f8vD7kCt1&r1#tf9w9!Vb5VEHSy6xmi9l$ur9<_=ZW74i)^D9~#o8vaZ1 z)zmmS6z?8+j1w?x0v|hGQPvExin#t>$L6;9&^FF9wKt3Cyo%7NtUQs5$uNrMgO3U| z&Go90f~O<^As~Y)^U@4K)HJ1afmz5oJpf z4Uv3f5{)SDD=EKN62Mc0{~u-b9RFWs9YOdXWlawLUu8w8`cGNgCTOk=y09b6uUR+e ze7lyBXZXG0rnlF-d7b-Zj9J7-6RGv!pA@XJjW(EuKHN+a22}#t2V|GWmO8{7^Igc6`?hjqbrr7-r-p}gg{9l-jH;U>hBfnZ4&+yzywSkH7Cqc-j^BgSF z5!OT$b~@-$W!NdZ4PewU7?!Lo$Dn5%aQRehz>S%ZytL;u0kl|*-6tNaOv~{^$yH4z zkr-jnswYPIOczQ)F#)3hfNY!2&Z8j_Ctb8j1eYFySd8Siwwz#0jY^@H%q6=Om)Y-u z%$yK(_`f1M-P>N=?E-W$>JTjD#0Kn?&S_FprJ61LJ6J z-dMo9UzpRsc8zu2nuJGLv|gL>&V5JkjX|JP39x+WlDtk+sitz?A#KXI->jPDN3jHP zE}6WAN+t7p?JJ97E&R!*9u3FtX%^|kFrrHrri(b{233l8QD=Z6!Nw5<{(d1)T90$N z4X_h#muZ}tuq<8m!fk3(oXSkO9a|~HX>IazTs1la%1#^PbUzdf#whH|8plsC0OZ1k~ zye2X~j0Jmp_YbKFW)0|AYB**_id~Hobns;%`Jnh61mW>kaqP)sR?`I}q3kX@WWU?n z-#s012dx#N6nSP>mUo*#&Pl-KkDU8lBH#epM@1lwYUX^H^wTps2YDQ3YNf$Us_aPR{b)>w2aP_{D66RQ1yk?4@-3xtldA-ylanbGQ}#q5CAE2X@OkT?Xx%^kT<*QM}_%_ju7 z>Nyn%6$hcxs!j8hNy>a>B%NDA3E*QIGaFHmx6Vt7W^rPVpH-2ZjsMr&^(RL8el2NH z@fYk1vtSl$CF=nPxsuu$8{2A@GfE4@K|5A21pTG?fc_X2Y#+LqyoMs_wE^oXB}F9LT* z1k0H(PvwPqw2+IlhJ^#UNh%Ot=zqLElQX@MnV0bn5k=rLx0ZxmW&pzZ2? z;E+5X3Z_Uq0&HP-EMp*L2AiA;_oe%3;wgsWH)!HjwuE`5<*mn;MB0CRNzPmUJO$Pg zy|`qSEUQPr_z9GXPY^I6-54!n5WMw`GjTmoIQV<^Xh~H8< zS7)@*^EkGo)-ruwNfS>oo}bF36)`I%@;gefySQ?cq@M(?w3;$2X>wE9I^?l#!~ye$ z15^?!s!X75ont>KJW9JugBmW&$3^klMJ0fwC%w+5xATvd`3)_7YWsKdfi<0gE9gc` z9XY1u)Yk~a6(DaU$3LHYMs^_f;I$p0!%dSgwMa=nd&<>yhe%04dfjA6KO4JtB)PRJ z810bcNR*OXW0KRrb`o^KMxG@Yyr#(BTT^}fQPO{xD%%bd$po1qB&2)!0J-E{M}zu( zb-M)s8IlBNayAezj@R!*LonYGAQ9G2!Clo9vZ;2ZKm|-2|E3*Z8A#K>rVxBY;NyB{ zZl-L;WP)D3$L`n{kvAF`L9t(bwU<5gjLIm=tBu))L{^>Az-adt`jrbMH9!RZ>JKa< z0rXA+!d&-au8{CmQUnVqQw9sLqFDS2Ito>R2ux}f1=u7OgJo|eU<0ajGiH&F_{5YY zw1#@!AMm%WaI{20Mm{zfLCM?bqN@at9zDR-DkV8t6(}cT;$YO9RGN-|V8Y?NUM~MN zg_>XQ`6hwSm@$bJ_hIS`kMA$^`83=+SY8h{^y*0l&`O?I*A{8PG+UYFqb65H^uAu{ zIVRy^CH(p6#No`l$sN((#(;W?+9V=CXofw%O$%^37iyjG$-lMxPkNTej)KDWYz}49nj2~w1zoR`e4|&d9={7)!oahnY8nn+v}}^V(upAChx9fqB-kFxPQj;4 z76is&lyQPPoyf=z`jecb1`-B|loS$qThb%VE^wgTwJ9XOPCT@D_j&^oahuO;uWwN^ zB?pm*;Oz5qogf@?@s3@xziZ@rlWV<-M>{97n^3zfV`qdltmwM~(it19*|SyVhC5qV zgxN0ff06~*+Wk$r_ea=h3wQA?v1|3asX8JUKV%X>BO^)TG!}~||5wPq@Dx1+Rqd$; zB`Q4;R3HPN=sqJXxhr-F;r+*cxy!q=yz8*~SxF`Lcq>SFa6zFmQ>tLY`f}9-uVU|1 zn=sF~0e12F$}u?uJ4zM@UMH%`%5mX#ct*|jc4z5BI8o@6nD}!&I1R(cOW{xxat8Z* zD~EI20OH1|9%lrRj0px!K4;_kam?R`Lnm0@dtOM{s1OU2!ZKG#Flx<+ztW*3$v-H2amBUw6@Byixj>jKdR{1XS>0SRT`@1L4W5EE45`}y}Ti-Eu~ zPFrpg!HJ^m0VGctWAGFydJ_f#nsZKIiVj&EBSo`ii%;*||jX3NE$LmQ;?&rr>il7sRhv3%A zxG0Q(k2#X>x=py?JT!iCuP9^*#~C473|P!>vp;N368C$bFA3xU==tDY<^?b!TP+li zHkofg#0#!;(cK=z?KT}seJMYhEW4X*j2kF6=C`(UcFqtv-?Zlz+)6>j{(`FI#RS{u z4=s HeSAogQ5R#|SfO-n95+omcr=(YR@e`Mfdda;TVqT_Y-~RvD|0Fs&%HlmYslg9L0?3jKt-v*X9g73`Y`mqjgeU} zPH9HT?vjO){sB>t1&sPM87++Zi4%rL7`0yNWRdM6C``BK$tmt~DZat8O%Q%Gh=#n9 zI4vAv=#%kc_(Gb?C_lc(g0|N|73?DrTsner9mix`m6=)*C?9Woq0z* zhKuKwSJ!()pvL^~;)lACUr;T%za{dP*Hy$8BLrh^+9kom_;;JIs#Q$cTcsYXP9n;}399WmIU) zKwl$5d^~5x_kT3Qe-!vsEnY)s3}i9ai)wFy<*p$hH2E`iUfJ|XiAs2qQg}g!R88`K z10)%fO&(Vg+iN0X3CF~J;xOGU^}7sk;Z#dV5+|)Yxsge$uRmyd=ACk~r?pO2?I~nb z&5^}1p`V?l{Z59|Gao3(v!H{V+r@v%?756`QOiVbhpDE5Q*(|> zA=&@eq6VL^q$l?xITMYj4E-!q2=8sTruyNQSWB!Mej4HI!!%54je~GcrazwmXE~@T z0$>EfPx`WsaVx(ncKhs2o~( zG1HwEQb6{weiE5kf+o4`!GPUCjrA-L+w)mWn`dv>_A)Np%b)e_H{W`0V1mfOg~O`- zixWL5QEh+K0MWnXa^CL$RQ68Ykv43&Z929pwr$(CJGO1xw(XA9u{u`8>e#lE4tL&f ztv$v*-3L`apblzO-OrrY)RmQ)CF#rrh+o<{Da=3NuPkGoh9n7mzZLn@WZR0q7Mc(i zXQzpHc~S>i*^u`xj!No{)21uQgV^OY8}j3(IN(_>5Z+Gr!tX0H_fT1=w>>~=G^8rw8c`1*63HC%G-*@)~$K@ z+3p+aklF|00s_V7ydPViNw&3<-9UDuJ)u9&Zjx_m6;eFpblaLDp)dz?-bvKvf7qyTv`No5)*`gl@o!^<9kd;hLi zo(th{kvvN41bSZd6}_S#vyL8s`!YA*CfRVb=TbQ!|C^5Uf%$*wIO1EcAu>un9Gw%ceN!F3;Bm)n8%3Ex!)e>z_7MKK-EeEU zOtGCFzMT1hgGvEgM3-_OAit!Y^3gyCJb{dBL&S@>g=#|&i&{y^&7{cC6kL6H3_3QJ zNVQiRJ4hp1(&M6e{5EoGo-85QoTw^a?q-up9(#yW8ypUD}FYt41nvL@F|dPqMcep>zqp zD^Legm4H&@9wgOQd@Ecw$@;M6N9z?p@SN1tMU7q%Nsg5(HZw|Xt|C` zC)sP&&40D5bPmqEX<9~DyY7^{!MCJ!?&RhlWUN2D7kiR;;E^{QF_U4?KElAGms^~a z9$4lvMUEz^Hvw=9q^O~ofB=UdrU`hw8_GhegLrCagLoC+FRY{gKIJ2!4jPG# z=sb_AjNt3L#+QhA|HJ6;6=6Ijqa*lQ7)j3gAul6ltoA(jx{R+|>O>Jx z&=W=pYQ9Bg-Es7VJfV>4Ej*qkmfI9uD`gWfu*nB-!F5M5RVTR+7dLS6=d<~h%+t=c zwj1F}%;!&SntU@W*1jg0HOCEmi?LWEkwz0oc0)|g%*L7F6zegc>X0m5Wy1tKQ*d?H zzli21C39PWhWFO*az-34j83y@sgX^{9DAYeyAP{mOcNi?N!?@QfHEowV*||tL@x^s zX{?ZM6!ZmpHft%kK6+fkU3^Za9z?OL=%@-NumWYQh`$cA(yWr9s!kl^p2AfHNd~F< zMXm+0h^StL8d%9{Fm%plA&Tm6@&n1~8)A1TP)2!XsQ`rVtuwFZhqQV=wp#&Hc7E<@6n&V zVbhS+^rInY7XR#!l`G)x5-%);!R1wo6prL3k#eBa$GG(|V})>^QON-(m1z~zuGZV9 zk%;vEpl+9&(-aML#mZ$La6+5MLxqo{+pn#drA?t*3~?j~eUUQjqF4g|n88F3uc&^YzvdL^ z8ZM-c7M^nkhbim8?UD8vmZ7G%9vjbjuA)7K0kBlUR;D#qoHQ$jKe8XT5=dl!LX)S20a1cs54nUQylbR?|An4*N+@k zl7E(2r85mr8Ypb_Hd6F^N_V75d14YBL&xmfUxPrs(XQ+8EPwy#vLxJnWNSWlc|G&h zFLVHbCuDyMQCxO>3`BbDX5ZjmfwDL(oI`h=_C>3;?9c=!?qr6sjrZqwyrx9kM13jf z`1om9GZM*wE-?fW4Ng1EoM%vA-XzU#@Gpl9F3s-WbkBzOwsr?fpP^IN)%A7Ry0}$C zxTC=87?Sh1{>vG9$~H)zh|T}Q>;#pZ1kLbDfXd=oBECkDl^gOm|H-J>Wz(CY-qIa7#gEG$v8y? z0+P32ejtrsT|^2?h>GB%t|iWfhibH85;YVdR0tr)jrQ!RstBt;;PsRqT&&JHzQB*r<<*pfxCRgxJ* z%Pzj*=*OI>kWq(ip9DH=vK{niM&+ttM13V{?In7!h2jRvlvYsB4|22wDb|}p5Y_%B zvoh~2gmJ_s*c+wlq8KFv?So2YgIqIu37slMLNonJ==0#wF+y$9vq}0}oL1zk$>c*2FSzRQ&uTiqPM_LE`e4nk1&oAoyQ9x?IQiEPU<-Gs|iqvO0Wvm%z~C@EE26|-ttSO>vk&5cS`bgF`W zScw&%u3w2YAv=4n(Fe6byTcms)t%ha=@g`%^qLK!wxTAjr=_O?2HLc4SA5(OW+If= z)$fA>u&<2e{#&amizy+v&*j2f#)3dDeX2;DRW(3X-no&|bUx%Ut8FJthZiESpE|wH z6ctwZsEL7FZnIXw{elC9NyBLUuM*6154G8vC7Gr%QH5ySr>W#`d%IQllqM8mY8|^$ zG$A=)v2SBLtaj*~dKs41vstwirnz9FF{p+vEsn9?Z>tz z*y`=8Hxz#idy;_SK=ia*ehjLEPvZ$2n1OyLteO&K_WTm08VD&_ znqzbm+7I}qDm_IQAQitQ6>UqRgDmvwD#^&XTy|LQHgZJaRqHIegQKYy@^L*~si^=!3pJ!Fptn^&x@CPk)e5`t{JlC$=4r0j@#obb(pN`Lra zQ0spja`p6jpiu`F)5feRu9rPMuq939vxR#V&PRVlx8a2gRkHu`$##b4-(xmG4PY3J z4`M&t2=M-~cTk&qC?vlLT)&L2M;=#YoYvkI%)R2i23?Z2%#8i~tK6JBsIeoXvH>JasBOE7>AWX{T8v~@46<9A6xn%NBJEvYr(*P%4@OrY-2o&5rT6l^1vudeu#{CXgtr|M*?wl>N49)lgTrgCGs2qQ@m73mAIKFE) zyLKjc(~PezK%A}|P<1?{GejkM$HhzJ$SKUlH!!hB<4*ZGS!Gu=n9|h{4NFYZuez;m z;WvH>n;;Lzr8i}1iYHn)$1`bZ7Q3CU&oW1atPN+mPp=PHBbVfs;xCu>Z2oX7r}n3& zD~DL~EH%bzZJriq*5nYm#8+j+k2Y(-syd`C)7DM|fKF2O)#7S; zAPV11XCS=$qzI>ugK{sslkxf^2^>TMx$+Yv>w_Ty)NXJCnB5P!us8q~=-o>8LDGoI zBN~G(%R05KKpzt$Ed^6cR%yZ#9(VIP$zR+B(=|DA9~*k6OT2_Id-*}bj=(R_GXwB^ zUI}&V5rghFY0Qx)G+b3gg(QaXu3+9zw8VG!R_VVR+^dUqaqwv9K)b%(f@@j&Ou>UV zcvQ&?!7uMYwA9Me^fjSBTkzWkxp`NUnL7+lNHa83sm@E0^B9BOm{tJUk!hkq%9H~IpMa^IXtzgca`X_Y+V5}t)ax9gN7HrH9@bwNa6xPf z_``WJmS1~TCt0{-H19GH0mcNvp2w>FcY7%W#u=j5ppjuerR&Z&K6d~?Wr|W=B(=%y zwWslo(D(!l7^=w_M|@n;t$0qQ3z?9r4D@WTxN|Jt*}lj30|+qMKc@c2=3W>v{cCkPoqo=fkPMxBTVN@0Qi z*&jt`>>)6~+p1+lStaEQn)Hik1-A*89yaC2Sq`4AhAc{!$4QOif;ee>5SxCDSb!Qx-F=)#kIN zD}dJbL(Qjuzg(aSx`sx}g8!}9as!0M;G83lZX~wH?uMO#VIA-jy~gowv)u~cN{cD- zz|FP{BeSlQIRgp1(0)`a(nx9?^|wMus!O5L7Bl%?OhC>{OStUU5>X8bN{POcU;E85s= zEPz|9k>H?^N$W zTS~K@g2Sa1HdXA({BmW2* zra6|X`j;VHHlNihDUnw&M>nLDuV@8amdf#D8VM>jH1zctZ;)m2HEOd)f4o%^}K970&ibM6Q-$@AzAh;6*!o#)QpjZ zfyrc3O$xh?VBm5p4Wn;a(B#s(6VxS)D@g_=)xyWT5^3vr?DUu+M&#!fNQ~OX&DCSy z+2m&`77fOZYW}qE;FtYLoO`iiiAPw*52>y7-2+gi3c?P@ zlJ}87-A;%7|6>pk{2IJ*zR~J4Urp)ti*dd8I~j?GenvIJGsBU5(0t*w-;3a6c0Pvl zRB*%{XlW2AwK#z258k&4t*Ard90{+6?aRBt(O&47`dkHHw3Iza#f7gGy8+L3XpJoL z2nY}?Y?t`Y9e}j&BRP&c^=Hs($R(CI+($bFtltN}CHNv4xe@-X`$!4{QR}2AAqvE= z&S0PtRoq;^RSv^O9QH4w}uy%vQZf-7S9&VW!ri!7$60na`P3__o&{}?k%UZf{Q$% z#Xnlt-ogTxXF0bHmt5ic-6|40RZ5U2)!y3bEWnKrrny^=8f68?CE?h&!Ye0pDIiw8>XKgR&*Cs~RH zA~3X!y^=(QcKF55!_+zx^DrDycR%-Y#TMW!pqXSF%c&B?ET73T$#*Qs6)w?CN3w-? zdj0rC6Zoz}d=O3{6S5@yA_?D9gbCJz@W3&MUC zpF(}(WD~AF9A9EMABn*#`$B-@`fEBs=^UvyX5^DpC-y_~a_K|~u{jC?S~b>7wir!$ zYb?omL_3(#u0RW6wg@$ik?oR($AoSKP0a2Icij_9GBt-Q|z;TzIhQ!<3RklQ9%XI90hppi0=Pi1VPL)9IZ~Y>BjfisK(49voN<5|Q@59lA zndM$`q0YYpHy6$GE>0_M&X#9>uTYU8`gZn~8{Rn=tF<&yRbZGU4{OUGg#`7Al``Cv zCu~dVaMx~!RIt29Rpbh(aw}+&98ySQm0`n5$+L|H4m}hd;H-`KoiJ}VkIDMIJFU9u zqLCFFA=gl4dq`%{TOvrTKx8z8*&n~*67NO9*Vpx7@03$-(*TXdX6hgK zWlH8cB;XV19@Yz{$ukhz?IkIm6w>o5#AC|sctGU(d+)o8vBiAZJYa>$1xp zt;brHIeH5*-4LzEAfnjAB0CtKVy&*zkkY(_(n`iAUth0Xnok^ZqDoLI{!*Ys1h{bhN#QloS;~V;XM6qh#kd#n)4Ki}hf0RC%~^Nu?ls z$p}(ElSP&>a)WT+_cLnbo4hA@zvz6k9`9+O%o=qtQjo2w8K z`XHey>?OXb)}UxGGb0`BTbO)~%h+M}j)lu)IGV@z;@uLmz>r{3yo4Ge)cq#=YQ&UU z=!lAW80Fj&n}~}=8YAbyU?yiUw@@qaUF+?&x}R3$^}#=mp1x^ez0D#x8)wa}7#@e@ zBl$iN+&R}KD~}eW;$4!Z?Gu0e1pReZ2{x^Cd#$KOG>G7?at!Pd4lER9HlthRroe6% zPu+#0`2RT*ZC5MRN1ik-QcApQWlz2MscP-36E(v`C zUMFOyefV)ku!0?5ZcPr>V=OU-2n7*4wr3^Z*)-Q(90CcKM!5p-&Q74ed|qA;gWe73 z7!3piK7I|BWYota8gzU6J-jPI%_QjK5qysGtZX$cfU;HnuakP^dE}{J)>D3MU>QWJ zkLrV&V3E${GL#i;NSfp5O&HOqKFivO$?)9AKQikum-q(U>JaGeWwqFauz_cg5}eLk zk%(9AW||@3c7CBbF-)ZR7+En4hTw0lo8HbX&@Fi0&gEY`3l2_k@ zyC=pi_TPGJUQv3{)cGEM_%FghroO8(2{mWSmA`7FJMUJ`gR8Hv@yCdP8q?C~@f?_< z+KNs^hSD__GVo2z$@yz_aBUaphWej#UTuVp;}cxKNR2ne{Tda*+>yVs)y`Eom&Z*1 zH=pXv`Rn4TIk#k)e(i+9YK!6$H?0SnZH)zy3e=2ahW${Cc1MUHv1}(6V$xD`ME;Ss zr}<6ePePGqFE5|x=Uw5${ZPVdyWKW5f1t4QHq@N8?iz74=J#r;2Bn@X z*4}eCfyb_l`+02_)0GirLeURDkN3;|w!`X7?pDm1PpRs|5Quh{Vvh3PPLURReGUHz zfnJIr8K1=OCQI|8n;nz$_ zB-n?S3FrSK`DQ})i_9DIMYE$0 zww$sb=%}>8xRU6^WYDLz)p@9lhV?H1LI^=~lvU!_K~*j2_w9d+WQVrrO}f{W>)rZ0 zx@xxcvynY4Z916B|9I$G*z+e}In}pUTe*kQS_+z5mrs0N)$aZD#!Ihq;DvpeLHtJ6 zc3hu#0DKNhyPbd(kVs_&X^bdDPCNaA{Y1K67*&(XY4W%8jHURz-Z>!}{o)r4J`4X^ z7miA|k1a;wG5{rMGWAb(c8=Pn>)jJry7loi1SG zHiercNAZ__Bzzo2mTFV*_Ue-ToK>cuX!@Nk>m_gv0RuISoSjx~_}{geM$_~dRB0cS zaRlVUPnn-z?l*5loV?f-`vYadtZ=kiXuzc8E3G7|jm=UQQH%0;WuPehPBQ8D;)aQE zs0uef*&M=*YA5kuVRClz7Jp)GhX!>sU@|9Vh%3-y>(jIu@-H#rxzwn0Q==3MO-c+x zsqt!1l!_vWMq4Yh?kfdox z8hc?AJQM}5R5gO9y>*r*4g9slbs%D0ptqHQ&p)jnt_ zCN`!(dsNalr1z*Chw5O(2L^=0hI`yz)1>YP;Aml-=XfoU*8 ztAyIKFC>FM(}Q2flJ)vnFMnc41_S(0Fa%v;&^3KXdXRmO3(lE@Pm~^RbR*~lx5p15 z+K7t9o=GsdjsVAx+jnOS<;xV%`4M%i(bTz$FWoHqT|V(zOx?rX+A8vaY%zruP~uwJ?0 zIr&dxjM}>%qH?nDfw26JA8hs40lc(c>dp#6}7;Sh5!ddeYv33m%5oZ`*YKfKBub&p`=L6P!+I}z{diqFT{F!v3{&U_DP$~MVZhc78AJ5bD z$PKf5ho!-ucBsb($)3;e?lA&9D2c~=AK$LxJ@?)Sbi2CJ&2AzB&Sz~)^AV4;3KQGGu9Ov=$cRp@*+FI152VjR{= zIVo-O-o)tYT+k&XiH+W+$sw-%qH=Ow4wTF96}ann9#i6_Mz@LZE-6V>>&d*dzkbnN zD;X5k;&yBUQLZhIqp^ynVl`*J{@MV4K?7_fS3kbMR8!m#WN0EW5n9Eq^XjIAB`P6uu6e~oyo^k z$NpkYM#hLVv$-4YcYW#Nd4PU57ng6)Yr+2=D}P()->t^{U;U2(775>-#xtykQsa+< z-f!p&KDkQyITfWcmJ&zftCddUsXAs^;AUG=py>ayG2)0Z6}b3F5vz$fDTZ>r;wBbB zG9yIY_n>A2j${^j0mk2<>A2{;?hS zZqS;2r+-in)k>1>wp~=yP$PidDudW9nVrVJDQ|m1*?S8j5$A?ho9q6QKIPd;^r4p# zUj^-LBrC1(yQDz<@Bf-;TfK)J9-7Ppd9KBgY?C0pkc&&?7i4AO9yNrUFTW0!ZcTGQ@j)Q~$(WeB@I+)q#+yUh*LMJabK_Uq-m7uiHflFMhhSnK$`)GH7t7pHoH zHuCzyMTDZ-ZMtNTQaOy3U)ISNy{qRt5j?LOD9TMhvoyLVFM!zYU5Jlllx zylwkA5y@``28yR#r$Xr^DQ|N;bQmSv&vec=(aK1<`Ic${AR9b77-wXxO`wK++>xQ@ z|B2EhwF^f%^wNj1q0n4iC>3UT&+WYDGkRMF55d&FFNyVM9jS(U0;Hf1zsZmGW#fl z(L#J`aIpPM_s5_tZ-Rl&{hs_%uKc~ zNv8eCyfcIgH9do)>ucx3b`~6r!5!E=cxKEKlHuB6H~tB(gz`4(qhDPdAj8&}JGd_F z8N}&@joLYN#XZaao-XNC2pYhUs_7i_h6hCe?dQ~MDb3e{ZUOG47QqNV_PJTZE_D5|g z__L5Zbi3+{lI*X_=<2pY5%q$OP z5vt{_ec^CIK4$p2hD6#D{89@$bI6C`jxJs)NPKF=Z1zP_en?q^ov02JxMgdZ9oN6$bcZcWrSnXzmd%v$4o z&9r5vj)_1_J|unbWE!ChoFirA^2n7<&&HvDQ~wHFEEM=oVvZd)!Eao^wr~=I7=>1f zbS*AJQo7~FXk(K!@k+$jJ0}<1#-@+tLWcvbILdsC8O&N$nao#>N_ymCr9-_zaSyUU zyQ#(bTws;Fhw3^`Ev6p463XZ^lKF_Ux&c-4yFIvbl4gl98sKBW{O+k3#Pn14p3sFm_l=LX zH`m)_e`cS#lX$u2s$Bj`+Pwe5lmsIQ=;|ZVEIt5Ehn`E2XLTIn3X|p+cw@| zDq-gFuWt?QHHpU?%^&rrebDv1nJ9fAF-iNqLR-jzDrcC8_yxMXESMOWrT1Zeo~C#I zvL{J>p=LIiFkO1~OjXl*xb{%(!(gJB^tM@CLmxh&UI3~{O}c4RF%15U@o>Kw>QK8u znbCsTPR)(mK&T;o(3!UY^kP2zVzm^-aC+afHnVe*re?1y!LV8tla|A=;HynC5Wx9a z_(WOr?;f$SC-lfRz)_DZVFmQB9tc2OdaArBdjJ`K!e)Yu!_Jh$OeIIdIfrFDuJyv4 zcOF;T-$YBCZ>A58GiD-%XQk10%v2l*v8kVakSd$%bTT(TY;gj|TsDOO6NC+s$)4Y6 zhVkk%lEoxvFkT@zsuLjk76%0n1y;j}++|8O##>q)pFW$#Nwy9(kUxmXY{&$IcjP`I zxtC{Z9#jDf(kIXmOkFjG>xj}sRkG5=$(zNZhZX;`8lk@wZmb^jno$_ET~{p&p(X{I zi8A|_1bChK(*$*FV8>#Z5$<)AqDO%=;>kf%4qS#^M<0VI^VtIQ+wNcdCE1Fyoz1xA zRdRL*?O-FLsXD$k2^Z-Lg)ueD7)7A32CDE6#XJJaUy3QRYkw7-qgL4>RN6$h>V|F- z%kM&@^cknb3awU3Tv6YALmF9F-Ip>ol4TZd``t9njTYZBZX~)=F$< zBK5lG2duxvrvFKi^_A>g_9cb@?(vq$a0i1ab#$=QZJ@t_f0sPhm$ z(_M?ET=r@2w;4qwPf$%V(YTX;eR`}8(K7cEgm}Ifc7n_yz*TjC&SXn+*!%j}{(?d$ zhvU?x+%)aCKxGUTt-lqug-XgI99&7`h%YT3}^t(WV!5Pt; z$d&XjvCcjamWLjYsf2mYm#m z3tUr}8MfLKTS#*+E4$p=EPbtePpxv*?>3S+S6^tAxlcQlSoSNURGyF_%ld=${g76a zoo(hIrgkon-PJ|fS1F4i)_=;Hl*Y}-HZfPAhJ>jx`pq+I-E&!w&kf+3)q84ilZ6V54jXI4a{%D$Wr= z?fRS87hyN&GnL%eg>3X!6k(6W&J!TN1FZtC>Gowh3TkV^c zq}X4tS+n9I35ke6fCGS%l}sM%yuf*~-`=|}D1ZQ}iUcLPUA4Y%Iu;9c*;Tdgm+*5D zW(kW2c{s_!A|L&w|MnExkKccf|9kM`_fPfzmF+JF&wqIO!;jCud;Y`ozdSv7e(=My zzXacJVJ$0dnHMYzg1^k8$t;Y+)_$hnzt9%e&;Mw~vSN70=5cRx-~s>e{CVs7|M>KP z&i~odgQo}2;O_@NJpKOQFTvB^R?yMD^7Chl=tG$0QJTC6Zk|12i$(d*r^Ekic<}tu zG|VSiv?%D0FU5Tc_&1^qq=wD-#!Y3-~jfN*qlXp1`9UIk`BU z4bOiCVnsM##0;R&A0=?d|33f*@c92eTF3dndw=ord{}%gHl4$S|KYT2`2WZ6@%%mh z-+rr~e=uWtFb=~cn1+iuy$h#7zMM?LJilDV@m&xlgt+nrn}oq1e+2Tn1bg+7hN|CQ zFbw|u^Z$7C=p+dM+lE${n~(m_5!}o_{uls8 zxCHK|<)!ZhgR&bwE_t`#;fTWzEMA7Z=X+pbvS=Cx{}UA1GMNNFd`JHo&Ci#Ym(k~7 zZ?G4Lu|ilD{O2QD<`KT%5MHmGfup4VUa~m4i~vyppF|rNKKdB)v8jK7GvHx>P`wKPteAF0H@Y06xyuIRA?_ z@#1gxCtI#jfrAe+Jmaw9-^z7X{^+>4MFw2=Ww7^e`QYF3z1moOQu}+>{Ga^x9rLp( zsUN%&I^%sjRDdxFKy!dkG$=c9DvI(^ZuyV|$!s`h^=sQfw|3A0R)G*-q+#dc-DwvZ zv4s#s@G{e-7B7VNirF}fZ7w!-FLzr%P5q+r{}#d*oMZ-|#ntcq|Mr5tU-#V6Njjgy zK(thw!{HtIT7eYIhxu$o%O^@6C6jnL?bzawFQTJk4hJ&-B=iTnXH!euZI;Wn;p2YqtN`3~|7rvDcn^W#oQu`ilbrhc2aU_;y2H*Z z%6Z3@?E`yOuw)We&tB)yv>h3-^%mAF$KKl7P4}jcJ=EsdY%e8ORu|fG@nqR#k}gqU zks^C$b=T;_L;l^nHesXMZ8+hpsEK}0+96U(GQ)4%22J!WYpkmreoy?zp49-|Ty0J=1vZptKq2oSQDj9ApWW3TE4B%uma8MWSh*?3fPC%%iUM&(ErxCu~L=c=pJC!|9)4~ z|33fj=?`B2dml}_X;kR6;3I)ApCoCqLL;#2Taq2JVVJOS98SOGJZ9-t0DMk9x;c1s z9VOEj!LhnTkAUlDQ&zAS${60sN@%36&CAMQ_eqSA(v#f;kJ zlGAk^#v+}roC3C$ljt~&zm}hAC&K>_S2o|rEz@SR+FmKL27&!XR<)YRAUI3&;$2wWrrCAZhO}A4a>n-a+(67zUw*~&h9Q$-|9dt zyUKMa4d`SV4`vVy29s<$$in|#hRbjOj5b_j7XPh_3Q*S*(X%==jwc=hnZ^F*Lgc01 zr+ql0<9~Cd_tnv`SAT0$qiw!4p_d%6=`{P>i}nLhdQu?6VFFkqD^>@ag)A;+zw^Pm z4wHej80PtDmX5p3z_yNzVsh3!y5Q^KrUj3ks^BVt%N0?Xf>Y&8*r)k#778>s(O_8NVI!WUf!Nt*O z?Kj~Y%ZJf^t6sF~`p{kYRaheid?(#3tl{p`Agq|Z2u9fV?)S=XQ4$pqi;u&Y-N6k` zlPR#=&z@HLEW#`zLe78v-hm9#^?8}xRF@PcH~rB((-NdVUF`;|Kli(mb~PS>;zJrQ z=iyuAqH628(SCXHsChxQ13RqSdd=E$`BE#Ako5|4OODQTs!2Kxl|4$+kcr+`aXMyk zwU-)O|LaCwJ=zl>N zokn@Kq)4Fga(We7DuNCE{|Dbce^%4~{_yPCbFcrsk7lj^ZP!p7t4r|{zZ60fyuQkK zK_YCaG(KIOq+jjvU@;xIh7l`^yl-{%7ehuI@P9UDleGea4fy}N?+)trzwh9W9{=A*+Z6xPrEoS8 z4r&OWMq$fh1{~VpW>|H}OvB@GZ-qBG#1d$$~J0eNT3m`iwr056CQZ@9Qz_!!5{5!d6L?k}&4{pM2Ty_RrxF`P`l`rZaw}|o7zm^Mt zUa0=LkUuuAbvlo7Txb?vMab@Jr_;9P8x}`X3bhlrKnBIJ`&@b3>HsegA`k{F z_bj}`F(vFfb_=~$(PAHa%a`NdfVB~*%RHW&Ep-D1TW+{&gZ*+CtsQL+{GT{kcNWkj z|9|)WL7o5m{s%Ar-%Hz+|C6R3c{w(g{S_J)54~qWzqBdchp_MD9##h>>)$Jkr;`yh z;{>g4%Fs73TFUC{(@kZo#=HWP>=fKms2lR?roF0U-k%u${EHI9AFR3Kf8oXNKn6_s z|Jgx3|HJnOUjDzIwkiH^4z5^V6HrJ0lFxIa0xn$XZYh1`P~E<96_}HCxa!^6O&A&! zxDM0xNR~W$e(=_X|Fda7N#NY`zx{Y{@SV^9b|1}j{%n#lO8-@$xAS^=LA&Yyv+ut9 zv6lbs*|Q&?`}m)GX*KH|g&@cA(b;jn8ppG$wAPevq^3R-s=#BVrmhg~MoLj7J?Iv? zLSfoTN)tU(Cdmp@L;j{|BJw3DIn{zm>FmR%)05;kl0q8dM~LjtMOTXO#;$`28(e1T zd^OHnrsEl{>xf(fgvPyJ!Ry6v^YJo@r+hUxTBg^7=fkIpwW>b)dJIzYz z@`@`h4ZQ`&#V-IR=(ys{&zt4#;G#f|G&( zhDi=jPdkD(QFsXQ2HO)HWReh?iM{$;A$T#|(r=(qT6^CI4iu~`5-&#h%%kG&+v?O8n3GMcna*GuOw-$hr)$F$kSY*34sXI( z#61u3q7JElb-0rR2Ft}z0SwKfp{Ff7;vnZ68a{ed8R|R?VJVnPq#^S$oeGlF(Kt@W zJUKCT9vvPY58fXxi`j5K)rMPSu%4`l>Q1&ATCV)P`?Ao5fjcI`QurQo0+_h7nCz48 zACKGzKma7+@ZbzYI!r{WK}sfq;mY7BvcW+3u9opM;Mlf+F(&C%68)}5&*eE0p8@wK z5jmyF%Y7g5_R83Eb_WCDyumWjM!eyud8NO~Q3}@q9*Fhn)uTzPA8=q-e$t~PZI8Q( z%+Fy2^+rW*SwUHOng@bE)!iH1?% zRiN3e7@H(*Co6cNbZ>99EeD(v%Z&Gf+a zcBFg6aK5X3<${07kqS>bht(lLVQ!Rknh`1a8;`JS1A{FnXc{61-8UCo1tJ%4^Z0h; z=k)|Z3x1-p#)xVVL9xv+pY8gwU5BlhqIC;~LzNA8is5%+d$9hDGND6X| z5Xwf9k1L2TYRRK&@PY;7Q^-PKSTcGvTUj zou^P!Nww!KK%#>D;aw0&>QL>2fo97o5T%vq`PJt7+7HFR3OHQB_X#Ha1kaU4b0Tuh zX*ruT3H5f;oYRwT8Vhd2I38RlsEaMFI5Z<^Bu>uG4+HqetE1D^3u&AhkA@Q@1wK_* zgDp^VT#CN2Gyt@>s0im4RNEQHuq7~&MJ8gK#^EPvlE5Y@18y>HMD?8d1wU16TIJ}ZQ=@H)bsQcZtNEKR2EN?O zG>+3-oTOYU78z0jtNQ_qb1ZTe2EZwIXjb0HwWK8 zYh0XmWc$G{=dVy_OP`599nGSIiT{2TW^vI&?3x z^Jz+Tc=H`MUtTH`m*R0$Fg4l><5kU|&TnOU7cFi?eB1kdO?< z4Tf9UxG5Sn-Lhcd0?q+O@3IQ-<6pCo6A)a-bi%S}`6}zCU3Fsom|9qea+VkKyMgvE z1lc}<%>A>Lh2+B4Ou(Op1*}`MJL4}y_&?X^!wU#R-og>0RYV!H5kYk1ddZ3~VQtFa zD%Zk09+x!{bxh8G<;5KV9qT5=;7m|Q+S!UN0M|}SY`P2`OK+#S0~)j8&n-{4g=jYX z8Tn+G5ld4^I*xjIN;9edZ8>g8sD%puC8qFQO>y7i&P0Ac<=^>G6tx>(-GP9pxe5ul zAvs(5(OHOgyAKsN77mRY>Au3Xa@>ZYEtemZ4qo?woz=98RR`?`e<`iXP5G5b*(RJ2 zzVa;Z?ak!>DcI<0(#2l$zyJ9B`)Bp|kLS;y`ud;u(ll4eCk;-Z-(WwiNbNG#;~%PbMkX6^XZ<2m&2MOfu9?% zqg`iUYRuE>Y=TR_h#H2J?w&FmwA<*!@ZhuKAjtpo-=F-)5WoA|-}cTh`|94e|0Q}g z%nZMGPbYnG$ADutb;WJGMkq{>f{wdUN(rj@GNCu7&cb?kPu0A;r+4@KS914kL>3hn zPtqTSIZ3^U;7Ehi_*or-T{fpGU3lBFua)JZ)=~mN`4otu0*Sr2;{fLfo78P4TUcXh zm0A~#6q*fdeRwO@>$E)Vdb*YKm9u@4gC3(D?>AyxMg00 zsj{-HDm*q?WblO8JzUuE|Av46Ki@X5y4@ybXAjT9d0K=9UjbLs;+Y(@X29W-i5pM* z5#TY5$GzsoXHNtRH4+=V8x4ow;tZEzF`0GS2<=_QO7Zhts_+b7X!f{c{vQ?}Xi)t{ zI3kO3kW5=bAlG0VvE3L{Z3F8yl94EhCh64df97DXp8{iv(PnEv_Z_g$8-iBOz74=0 z0+(df@h4!(et7QC^_R0ZR=uqNSXB$} z6Z^GF)=89Y+UBhi)t-z~jb{WA`* zPm37Jr%7njYFYM|(`q>ENDJ!oU?jG7yh-xuiVzwmJrgEsK*<#;vdCq(C#Y0}JGS_C zAN7m*a)C*+Izw)p_jJ>&8d!Tv65TiMXj|K`bBDn@0Z+NJkENd{e+jQmNX3oiIG2M~ zI4(p!fOk0mAXqS=WaTkBCeDLYHVFM84}6X);}Z8)hWA(i$9NuGwa_y^b}k1E7`nsc zWUhxBh@KxA+%WEVK%ERD5l$mB!`QLB^awLCa^ zVpcOag%>odBORAc+R2)Wrf>#2WqE#^X4Cz8J_;b;HuuAMJGNmS9ox}W8TWApwge8_ zfX>URqrp8?U#LZ}757asBYtePa9!Qjq^KXq(RyJ=DIqs#ZVZ|P+1${^5%HzS?0V%F;P8#IU*{At}R&p-XtcZbzIe zUa%+=5XPhrxmiSz&a^MZpwl$u{GX8eO5tFrxKTuG4S&XeculC+ga%#{>NTNW6S~s8 zCe&*}SK7U6LNARX(t2D8j;s6%#ti?8Ngd%u1|(^dn5e(-%}AjxRZHKoCMX*S97J5Dws)HFO%Q>+D~P;h>?TxF$D99|l>9QI`zE z=2G-7%($B;p=bmm_rf!S+$9$RAbRsU-5l!HT1dljHj^dW?f0b_!aI4JMTOzvtVeyt z(9&P&HR(St3*cU^!a}+d&rA1T(NFR?hFRW9O~aX(ro2QlEwhaAMVlqa92D=qSj3Uc zNEoxbFq4Xx;K^l_4TaYIu~+7ZKK_ zv7E|L^DQfv^|cc|8X{jbcJN)SdnRja$3;I*DrS2<{Xp!^8eLn_H|U(PBnL6xikaHv zMIt`Blff2hRuTG=XlSwLw@KGR)|rw>am?+KTYaN)(zWikwM{H&d4elv-PJxRuN#|ox-I|kVX#jzR5zmOeMRJmq9 zh)K@!MnIK*3iY)`6?KR?vF1h1>p_+c;Tfh;O^0}jZ?;SY2AGyR`A{-4=i>$q=u`tv*_P1o;XmTFE>@QOwC4Gn}jwRQ@jaF#Jga`Y=ein z*(7*>n{+(#X&8rk?=wuG*p~m=_NrB1zy;U+>A^s&an`1Ib>1#0Ri)6arwQp#O66jh z1>HF!WV3m8H86HwJ%R4KA?;WhsWQC+Ubc);@J?h^Gl46Miq6d<1WJFWk7?bHJNlb# zx&!0psZR!yTX%BxLGTuRQw@C#hFdF)QoH#!2i*BMcu)HiKCaB)dcw5KO;4CFeA6SQ z6`PL6=Jp22!qvBMUTmg_QHFyd^-ZW=e*L%7N_b>Hj)KcLq zV+voZbW}8htD)=(l2UF_9fhC6$&zDS^H6dLWe9}~3gu}uWd{raF^7rT`A%sWh&wx( z&cgcIP_&4h@3KZJ$++9ohV4ePBR@_XZ_gB_w~ow166?sMV+#AI#A1YWbA^Ef=257r z&(doaxyCBp*K|vAR&qHR#=CQq?fUxdby^zcFfH1$hL4-ZmZz(K%PhSGU9Iret6sDF zIxFJMvOuBUoV{z*hvJkE9oMK~+7D*?pd8-;Vy>_n@aJgV+e+V$%@Le2EF){z#5av?4VB!g+$wJ# z`+4lw@uA0ls~>snx7r-R>EfeX#$0vf6VRK>D;d}iOQAodAY%Q^8{+%>NA%9jyZPc4 zEmZ>7SmTyU8>*^8=M?vuW=+dp$viA#iOX=&@tulwL>X4q+m!Vljaw|f}6WGe2|f*p3O zOk~NIzmQr>xr1^?fPLry2z{TIdQ600wdmY2Z5C3M0u?KdpSKkqkj;+aFtQgF*j$$( z`y3AV2ihoiau!?X-s8=Q`SoV`<|LH*boy10FRK&qvw56zXycunMGN5!92TYPsYwIG z{WRnR{C1us7`I>G|GfMhVbKCS!s9f|;ji?UULeI6*e9HX0}Ed5gkxF+gkA~)9;B$g ztY8YgPZD%j;9E9fUfoXyCzvmDs@#yI$pARg;;wN90Y~_U4#u@76BCi$h5y1UkD#7& z8cdh8VJ55AMH9n3q@%_78dKhFD?!4VfZ9+*yWCIReCI$NMQf)X{JV%oyt&`n2e!{c zTN_9G!ae;D#P4*&{^WU%hCnp1{!$!PeiKn3+AtkcEpQ4vHuyN?VE{*WP}oAw_>+dnd`>zDliMc{GZwk4SgFKT{TXNIcw+`+)cnTQsCx5qotBE$Z&G+9u$p){ST=aR3LWkFK+VoY^i@7Cl+SX@HHRtt;pVhVv z=Ai{v4S)6(#Y10Fytigq|6BY@0nBd2zyD&W|NZ0h?|%5(Ey7Ti*#McTEMq^Ol0&+SiZzulB7R&1IAh zDjVRr&KD~*^6=Hm6;5KR=N(z2^fqT*SEf3z%YhAi&{V52qwy)SBzGmZ!G<-ttC4S- zR03y%l8P#O8mAMU@dFhncx1@*tJJ_E&j^pX%EC+F852}d19P~*6nY>yev;AZpM*E7 zujlRSd5h-jdH?Iy^VTqoxr%p3_8)_OQjlY#;M-z7sin5&3g#@s|9*M?URO3hL5=$L z3plnbG;9pT{~pCG&ynyo$3CMDyEYIdQ-Yntd6D*vYwXKRNLp7?z9H9j8O2C9VJJNf zEQ};`io2@WWPraBZojAq7?eAgLMI?U9|rGbpsmUqKUX3A4P#qmLz+j4sf)30`gM30 z!{Jyte;kU=3j@TPcH-KLJiB1W5#s|h_3 zxz9f0?MhP}uEZ&X$09IIi(v2A2dd2%fIK9TJLj65!^s2_co-)sD0vgzQB|q}@r6@- zA~vTWA<7$da%|)JSAiO?PHnsfp8*h`SvnPi4&y{E7w)09ppAIta1I8Ns`_#xP&F+oVih1nAW+sNhL3XepQ2ie7vAY zNvoMItFIf!u0C({uVDhRxfVQ$y)dgF_gb@>>k~baPtuwp++1k}Bv~>iV6`3={xXJr zA=$Hs&;ZKNo5aKc|VJL!dR?GtuCEFPu`>DI8z<2?9;jH8h51c{-&2j?lh z4&-&vq##8u-jTBj)=Ls+hld0UNns_x4n>9JHl!hDYblRiyv$d;7`npn$00relASYR zwYItigEg>Y9}d^2)V$SF5jJc#IJrtV3A>aEghD<{p)MMbh6wIc_22SJ*vCxN?SAF* z_`F+!yp!X8UO}z*gYjubB)^2sS5Uw12Ea7dsYV9upeLLs>yzr3e!sCtE^`4P+k+HG z$Fu!Wp602A-;|a_7Bf=Y5uuU+$2?*BstGrSY%5fPEvFIc;;f^m)_v@UVxn3ChEK47 zPw-+{G*{v4b-2=5T2It+H~>ggAl-&>Jh)EM+eEX9(9D$m^yKXP5Z!ZM9i0Xr)9gA< z*)%von@7|rJU6$393RLlSAtg^C|fMTWXgqQQvFHQxw$#U@2wH^AyufATOQSZpBMyJ#4|#sU4TjI9j@}2;s%H&Iuis zW^@tmC+$LyF(8mIE>#Ds-BdeSwbra4p|+#5_Mfr5YObixhZfvUry!$VUgXz4tU0~}`2Qp6X!G}ri_>#N zqD4AMV^YzR3O*ERKJMVk%z5=@Z3*3%2E(0Jc7&r{yg5g`NCI#-)R*LCFkb}YyUwKN zR#$1lPCLA@WLv>H%Hc|?*URJLwf*c5tYcbhj~X-CTG;_l*doIDk&?i6<^WLPbuCwLG0y5C|~SKU{zrJr$CfY8Ql+?sZ~>SoCMx_NerZ;s-0Iqk)< z)8Jv)v|{NW$u;y$vmYa}hyNzaC2LM%;j%bvS(dwHF+bEz08~XRFBIH36wl7i5BszS zq|tODanxaERW{U#jl=P&9Olna98$bb-!o)s9ByOfInT0V>)hxtwu}9&c0QJ0R3L8g zjewy=PYo&$Yoya2v_gHsEXAz;xfB(JGJ_|lQ8>%)kz;c=ti2BJPL8eIwi`Ev1p2TX z$XnRFf~2}uuORUXl3I5s9WtO55fau9juMy7<0+4)Dr@z4%Hye8_bs`WRXHw~&uWP9 z9#za)cm-Fg+X<^t-aexbH5{XKl*Yo+mg&JP^b*Sskz%0swzeAL)-t;E z5f5^`1B3;H?g=@AL*o6KR&`w*RmZ#@PkB65 zS*yoW9#7S}-@BJBR}H(Q2y^# z<>uCtPMhDxjt&A&Yb&*XUuNO;jh$i}`@a6*rrgGFu;6izX%p`+{~#`Y2+vza06{l# zTQM*7BwDbTzB79G+A=FVC+&$*Bd{v|5uD}c5<|;JwBW0a!!~}aPm$J=(OQQ}?ihpB zBXi|M8*Q1Y?K4!)%eH2u*0~oFIG4)TTal%*@0q_q(DNfV$HWf02xrj4e_-C?{&kLm*!TbYz?<^fDupC zE$#(R#P+|%Jnf<;bQR?SOZub;6NY@?zTyb?D+s?ibGw|KPZ)x06B~|CJZSq5A1%6{J2CUseDl7V4KQw%!ugCEjP*6B}Kv z+{U`P*h_ZZ`XFlsu&+b?G?`Gr5`n`COVI>5(-F_IuwYTv_EKypTvL%Ky;)#hdtu&6 zly^Yl1cLrYe9IOVzCBtMLl;}MlZfkJCA(>^ueZShY#rDJc&^<%oQo9MMU!nFD&FXI zAL-R(k+%vfl~)RE(fL~^W67&Dy^2GThu}131$x;(bZo$e&i?>~9yn}k_d_@Db?@6^ z`PI%TLitv_Z%Yqb@V+ho3cf8ta9h)C^oc43nBR!fz`b)ZV*D+nG*M#%4~8JLOEB-4 zkHtqpSu`I7<)ff{6jb18VXZxU6qHMBe~l8_e_@fBO7rI{iAg`~fmOGK4T-GWdPP*_ zw`h3Dq#h10s>q4CnfA>rl}AO)#&%+PRJ>thH@TdD@_}U$8^>Y(Ffw?}d66%1Fc)fp z2KPlK7cS+kK5SjqQnGs#9OZ^{=bg%LJA`hZx7|zKUh4kJIgS3MZd=2jO)j6Ulju_J zVvXdQe3B%=-q@(Obg<`P{`Z=7vPQbF%P=?=7Y#3vOzOf(Kjm_{2OD2Ujv?duMPoa| z!O2f7hGJwg#EO2QzRUnbK<8o}}6-^kgstQ|j*ha;jmm6=>>e{TJX;ZW(?5dm zDOnN!C-MqRCPgAH1pU3!?qFqC3!j{KTd^{}h@WVlyJ~BmyK>!!=dQ|ewwMMevp#M8q}SfptEqWkFYoK+ zeZ2xtS8DCyeZ8!^7B=1}m1{x8YI*b>eY_GAgG_vnglHVHEX>yPn(<;u;KdRzmTa&E zPd@$?#1hMtu=BJC-`O0x%1$Ky!`3QtMpNh|+8Yv`QXuZ7m4R40Fnj^lh{LLBc}9Q@B)DN?FVTR--)C?XbIfoXn)UC>|VC} z&vVDIiFBk3Sh2df9m;ffQNiQ5($mT@L}+jAeZ7St%UkPGX-xp=5}YY#yqAD0S+1_f zJ_`1GM})oJvc;aw4$OJTWRo79mYvly`URs)+=`VXHL!V9)f|UQKIt`OcVC&~*7rHpch!9pPA-FRz9{bY zOaJ3CyP|N~90uT0H^8bb$P1 zsJBWqNWLQUxtjG}-DztcT(XuIR?uQOUbrk>USU#yp!Y>|Q%NGyXC~lF0DPDs4BQp- zKbPN1&ogZ}N!$-lPY}j8sLugj#;YZ~TEeR(yjsHEl|&$qb>yd0{;7x@5cD8}2Z~7P zJi1B{_VjBKoW6W31loNc6X|i6zE+RBJnpJ>?>$X|#yMH^E^%US);mmVIx*s+)kLWi zgk_2zQ8k&T?xLJwmz$4q!ts zgw3W3{7E`ru&kJe-C}_YN;xWrloy6q0?_87L+J*7CB^RPGM^dsN>+yzCX?)rHe&Eu zb=mSueNee+x_62c%ML`Kg>hJc=0PB#~zZo}T5p#!2a+o}#Hf?c!iFP*wJy+n>RAw@k%@k02=f`V`yVMjuIg$7@t!B=Q7 zcJ&n+e1(Rcs?b0<-Wm;mkQ71jNssdiSEZPGPCHr>tldNI6Jssfn-0635prlK0PbTt z4Hs!E^s1g8s}&IH<}49Ad@9Bcj&X2f{P51iJUg!2cJ0`RP?-a+ip=Y`d?!+|>jr_`=a=(VCPTiw~r>0nLut)mO>e_h_CljCdP_FQ~%{?77Q^o3+;!F%vQ)kEzkr5i|^ zXQ`u4u#Mo(hi%#g-vNg{Y3de>K=lpg;bg{=D4&~STog<)`Z}3Pww=y<8c^hn=B!qu zV0}8qELiv9%cdOi0PMJGS1!(yn4Q9Mge0>9;gZP<#%ywpRq5b~%u(|0%p+YkfGeHh zK59W;1bbpH-I_?=oG1_u+FgiGwsl~H0MV=VO(mmff);7k@~|ju`IqHl#eYo)eq!S? z$D3o_jCFG<+Cs1zyLQbzBUG>&X(a)?1y-u6LRP#}LkZooHAVW_LygM?JoK$idym)y zWUG|06xBQA!h>dHad1gie4~`G7zY5n6ppMo0KAmtr7SOHc`0if9wNw*Sajnw)}o`G z*MY-!oOAeDTrr;4Z$_aN(3 zf^Jr29d%Sf-q8q)PD_f^6(@$xI+L|23^tEC?Y81kXAfKOsB@=Lr*+rgZhPm}|8d*M ztaDtaap+3D`;U(oBK4EPgyu;;UX0$K93O3+A1_0!tL{u&O&}#>WP^q|Yd&+esBPWb z4ekG2=>-=S5nE`PMvsZ(paG;d{u9l9#)tWY!Bby!u0;jn(o0Ve9@KA2hdt8rmC!@T zg!4t3F`#3skhh+^;>_6U>Zp>4P4U@$TJc%^WQ%8lN(m?y;433VxbVXKM3%TuNCpvI zD)p)D_`8>MG5oxUGQtQzCevhkf7hv;IVd7xTab&zC0O4q>q$G_zQfJ3p02kWc<>af zM=UXIh2{4$$xxIOKRkE3Gw?-t)fo#@wzW!1JPLSr{R_o7n^lj+;T;hS}OMhy{_fTotNb7xB_zEmSmZl(+UcE z+woU{Eo{YCWt*NV+ya9zA!)eX{G#OD?VDhB%Ns=#g_Wun`Dns3xxL!9R5J9Yt?kx9 zcrOsIvh^z4U13>vUuD~~7l`%D<|3N1x!ws)Jz=8{US;-;GjN1n`UT4)o~}GKasIY$ z*4SK-Gx05_u1r@6`upL%nh&Iz1*@@FR@3d38~UO+vBO%`gu1eZ-8<9uDCv z`pY;%-5#@==yjW}M}{uuA*DA z{r6-Q!%g(AjM+uMe0BFEmw-UEnvC)jOMfi0*{9*Ktfujf{9cOpQoLtr9Hn?kT(^a4 zRR%e7MIhux2$BBQh!tz7aHl*Hwh&7#51=nrjil9cTMAl59hFbJc{6xo_!}wPY05tB zUF+0gvAmBvMrwK_GxuLpvlr5GPZc#Sug5Nul0L|Ya{}jniZt644|X{wETE*75gzj* z!;*~LusE6`3DNEFdIExB@Ltxf?VKhmwL&le=GBW-=C_NB({n^-MLJ1ik>-EFGB})q zm;Z>wtpGuxbCN|2q6LkohC_iP0eH&t1f<0cd8yj`4ld9fr24dycB1d-+E#&It26dbsi9e~2719pjQ!fh56p$y*3EAD08dRiC)sSr2V;myjU`2w&BoN{(2 z?TDo7iqmu<$k&7=@Cn=mOkoRnkWfC_%A)Sb0YU@3v=EFECTtvsQ-OIA%XQz^7NZ+{hVgI)c46R}@sw0GlG z7^f*fsa>aLg=<`Hz&j0T@@fHUiebrb=3GD)9$J?nD=5XQI4*uyUM2;VZ$pBIPU-}P zZU%sV7$!GSmL^#KiY^mchSRLT=MS?4Z=p{#5S71%LbIFX2L?3r7W3n>F?u>Bp# zjj`Yo`X!MH+IY~R+SjNYXj5Lpq>p!EJ5ir5T(d}9PNU01A(4ZdXE==T9|)5xtSv=vDNV|X6MG{RO858@^5x}a^tp2iWSTC+Vlu<$FVh%b zX6d}Fa-qspVZMaArP#zNBaeDuwB6egcEFowJzeS#0#gW>D74gw zPc+gGmm`c&^Azme9P9-Kv32j}8DJ|p*HnwUr(Zh0wW&;Zb71Pw1+DwZThH%OO9vyr zc^i&rX?ksynEoU0>y({}DglkRcOw8FbrH$}APN()ID}RE{o2v>QL~|q{ z<#k72r|ziZ_`UW>YhHWgwMSliBpO#dbiRFHN+T{}om%1wOHfqq#NYWsHr)?5oLggA z$)vnB+1oAUz1*cx;~8}qgvL-?!xl~dmZynLuw`W-|A3E_RsdebGD|ql?&r!|9h_hU z`(l~S1z(9OO4JFUm0Ylt-JAp9raV+^snjQ+2VLoRE=EGO=yI6|(Jd!($4MRfcmm^; z5MF~1t|E|fO;6gwMcv*H!OlirfoQ4gLoQvE1GNPkHU~ScgO_A2ftaw`U+O2TRf#kX z=jK6Z?LWAl``3;+boA^w=;-=o?=^TIK7(s4-oamRz3Z}z4jz4Z3Od2t+M&$W=glfM z!nP!clM_mJz!2uiOqcd7#Rc!bDI>GYVrLc#zQL<7VR5{DEf?psIy%5=)>U%dF`(O@ zLAtvhr=P7sRvGyAg>^*eNl6h++nJTlYEGQ$KM`*d;G1n z4bAz689IL^m&$Wq(YX=fR4&IaLied88}hWFK`<8yobM%z;zrxD39Zf9=QBP`8x*wq z2H&;$Pnhc&(1uUY{Rik;+f;^I&;il*qa3seb*-bJbJcPM91UvFa}+Gksdq&xO2d;x630lnZ;v!>7PUEBMqWvYvTYwzN0JS3RDiiZl zo}-|6)iIlumV)J7PEr;_G#|9n5Z$I%;{YZMG!ScS{khcyX@#7cbYCqWHvE}i@)tpo zDMJ;iTJT^2AH}))<8myilm=`8{NRs2AMvf|W=_N;*-;uV=lZoDl-9LiI1dYk+|LkQ z&*lAvLFc-inAnKm@YTzeolNzrx|MTiGBL*LK4y>I_($gkhZ zROj{MYPe!jyDHmI1TB2mrrKloR!B0 zXec>6J^Aq6dF_W9Qa$24h=wQ8=aoALbN6;~I1fJ;81x)-{|}h~3vZt0qr5MwiwPG+ zt*8(quPJhr|3sQWtQEu=<4QKuHuT9B(T8RSO%p$dFep7A6}1pPl}IiKK8jgao9Da4 zv~-DhfvYSPcNxore3mYGUb}?7W0Ndez@>T0wt33-DciPf+qP}nwsp$3ZQJJ5y|<^| ziRg})ACTWNcjVsddDgQ{qWdf*UKqAxkB)(~cI2ZsR!>8WLfN&c~Yy8Gal zIE*|d*+>}cSoc;3SNnymRz|q1Iz7mp_f7n5sJ)0XbHYhs&sA&Uv_mKkEn>d|D5n`< z2+Dtt(7E;!dI-}VK%Ik=EyvvhRL9K~c5+U-GSyAp7sm7q>P1!ND#J`cwJazwQ2SlLW{ zsDjgAhd$n`K3uQB4?xJB_V*+5gxID-kNUjAXG{+J$ZnuRI)X~U5ArIJpxZSv?hEbi zmdn${a_&pj$lGz5ytzgRv_DLTY)y)2e+*=D4ehjv+!&⁡Ve)YG||}Hk5Q1YGH8~ z&#JL@t+~pu(9p0g_Zs~76#x~dA&Myap|e#nUd5ys5D9)8HApIZ8Kgz1`$1+7)Yh3= zBYe6sE`pg0Yo`})Q%8F6_FaM@k829*3lA-ih^WWyNX$H4NcWtMdkCS$$tcEF@S6OvMaz4-4t^g2-U?=y9(`Y>sxP50__=pO|Zp*F&heGeSlq>*(f$8-h;B4EH?sZ?o{XJl>^Z z*93<)#^bsY8$j3BLOayKn`m@1$eqmeTDsAjLFVL$K~z9Pk{JJGH(<-E9PJsB-;e;8 z^Cp@|a@HFn6Zvwszf16TcoFqCAX9U!BIaQDSpwCeC_2`|#K;h+Wl6yr#8J*y8mokZ zSEDEiZMa+^2lQIaUE^>VQ=Vj`nCbmlUz7tPM-6bsE=;n+#0Y3nT!ZWY*xm~?oG z0q}pp05RK$0dVNOvAoiF6S>Ui556?pL3Ak3gXBarByK6y=>d+C;=-~!257I zd6HZJGH!|c4cqcpTiK5KtpYtuB~$5Ux(5hSTeaGV2;80c_FAX_<12% zxsB+JE=eU^DiF2A6e?#8n+`T$e`CM)e9gw6G{w1}H-$U8xbD*|3zx-!|0>7{TQqa zA=*Pm9LcgA&I@(S*b^h2yI4f$J#( zo}CiYC|NVmRufm{`l1AGFD^c6 zWq<@RrAQGUag4Kq;tU-k)Bmu!5AeOoNbX}6K!Dwd-D6&lcvwO3Vd zIltCH7QkRsE~Zk>N+ns38OTSF2FC32k1KJHK8tAbOrz(Kx;BkF?GP8z;ic6tW#<3# z*Nlfw;o_hCHSQKO?I(XNY8pG-K>9z^*Vp?0oxVD){g=L;|L^oQF(1^eU30BDqIT?W zRaJ0n6ST>v>s7J0?-$@>rx8R4WP`RNJjG`(MyTu)N*8R!wq3!w;gDzmnF8ppOz-Y$ zhbEMrk~zoS@D#lc#wf$BR?nR$n+URl*yHxC4n+cHqB~f)^XB2kr-~6CzvR1YETB51d?Q(F1$xS101&U4Q?N@0JBMV z2}E)y?tg(T1n}pL=Uq_MIAvj&w%qf}I?Q3~EyHkteglCCbLfBNQQRxyC0{&c#(T zp}2u}CaH&Z*79gKuIxM4@_OZ%63*;$rbwLmQ0I$x7}tzACa zC`-yWoB-KQ(LW1++iV9{BHil}`dbLK^$Z>)aE)t3aZsgv7D?VvO1@E^xMe}8Mfr~6 zT12*R-8>FHf7wyhH^xUSUhlV2EF=7?E{c2)tG$;5>Ipb#T?VnET(M2any+uR3O%sS zT9P1;z*wCroUB|l9Lj4sJqxswQ$?&=cGG^9#Hcn@S8bZJV>MtY%@$5#N{Z7*qK->p zFdB<bBJ)M>ybDfTllpuFy^;xD*nepY+#HtbrdIQ zt*@x(cY>Ka2lQ7OP1L=l>Rl=owC3v2y{JJCjbtLiK7q?ioG_PI^r{vOghjNVe&60o zWUw^N>>Zk<0-Fx{Zu3*ypq?kGTmdJekuT~}%yl-X0@R{64mfIN$!Oom@}J}JI7t)@ zLGd;=_Mbm)N!yTJuGS`%TU~xzdU)ohFy7XGWtCN3GW#TqHzUoLY`rzYkkzM#Z8dpw zid_Xpmfi`s)LGfY85DU|G=digT8XzTUr7MVJ zbmTJT(A5l}xk%I*9*rSA?O2B;dFiw)4a z>vK5k>VOw1-}I`la@`FbHVDm5=W$tSq*h!DKAC(F@RY>6ZR9qqh(uSZMWp=%9VTR? zp9EhX2TyFqzlIrh-7y_b3vY%`s6$|_6PL+NIviaCX6vcRJcX$K zb)miPo7dtP*>Yn2$k51&dVcQNjy*gZ$k6%Vn4qJqA{U_$iwI<#IJ*S(&81Z+*Czpx z|8_Sg%d286&_5n(G@db5V#{|{BHseRSdke-18b#Id3gV^4u1irT59JOLp%E?iDkg!gRixSnQ|qW5Ib_FVguXdv(zSfY5E+XGo_P9kjRbZ!=5e#f%N?u&bU@=p?j}?L4*9HsTQB- z)21yT(lM#ZMII*7ZnQsk&)P<%#7`LtMV(#IYLTP(oT?&S@f5zeC2nl(5LG7Nm^ALd zQv+9tGGr0@`)tWBV#l>|p){=C{?nj0B^NltSr4q`oe&ArF8D!ZVOs-Pj$O~`?9 zX($ZUBcjXw#WA9TMBkD^d&6dmuLJPHU#oe#YK(`qy1b8AX3*!5xZe*S5p^aLwiHaO z9_5!9#Vc_{Rm;HQ{j(bS+Rz7nOI@`a(9)W?4&^$Je{^y%Ouic{-R_HrWPht#CwJ9L zr^R4%#Za^M0UrMIC9t{HTVjkjD4h>eu zi<$~Vr%hDmYyC^D%H^NSc-@v6nng;W3=CQI@4wa5ImsH57MGbQ#x#{Mr0)5Kzi{)U zRd1%}XeCVRU!*#aaiPtelMdcYx*%-PBP&F#hh%7sAF|HaG@jtDd=Xyou6PPNEc#+Kekt z-%||pYh`I_znnbB6|JkM)rV5O{2B%ZBU63OX2n#7Br}iT^X{TcG|gVOu*hC__zBXV zeu8v#m?*>P0^wOs^Pk{FB_99fAR`|rZNBstX0VXF4iiv zW5l1VMg)F;u4_~-Ggt@DEqcqk_;`qQkiM^JYjzJB8Sj$`4Ta}6gbMk#V6q#;*~Ju$8w!9M^B@=&t&E4K=*jGx8Gz%S+SUdILVUo zS#>2ec3(<%4G8;B@(L-#G2yEEsHDfK>Sg!uw3Zh4r*(=FYuBo7aHRU$HxMLO)zeP- zDr`88$(iSm(b?UWr=pWlInj2}xLrF@my;9O#Z4Lk^2D8DG+vdHd^ZTToI;{y$VpkoAF0(a{GT`62E|bBHxnMC#hi_M-^K`-M)+#Jr`&_v9 zdOJQgTeS8`ERmY+8a(BOfJjhzqO7jrH`@Vf=(NJN-6i8YD85#vrb+0|W%gjQ zsKef=KpYrT4A+uCOSDkNDRyGG=Ppb!k6cSOTFt|6xaZHcN+IAH!#}8&CgEg%V5ii{ zVx&JO#S5D?HmSzIQ+>$pnNBBunc)O{M#Kmt%3m^1Ox86pMcOCEB7y}pIcr8w6s2BMX^)CdOv~<@FHs-SpEcPQ#&BR6vKI0+$cSOAj@dMD` z)Wd62-^t$^U8hS{iNECKnVjiMjY0RQE2|hp(IQ&4Y_!-i4Yroa-9c=sKCW>2RV(cq zyRJuO%WIx*9uBx)xzVI0v9VTvwDbqx4bi3`VC2srG`;k39(nxru#uR;0S1+*j*&^q3i}d#TW)^|wa5 zzU{tWbJ?aNDO>1k8sYkrQV5FVYLQEh?4bdtS5w6(gOQtiuh86?oWZgp&41XL>7{Rx zocIgXt*3-{=#>VwMefnL_NCOC@sDlW3y_O;G72H00!3u&*&CeL4MP*7+qI8A9u4;2 z^lIz&f^b5Dfk9BO6NP4}1(E`$m~{P${`H+OV~-Cu71YriNvtBCBGT&bK`&V#;g|gq zwQ^IN43+y901;^em@k#X`d4Tmwbr5_?%w`aZEXk15l7GQU)Y~(%PBd~@4%5h46M-W zD=-{O(@ZA)K?zn~O1?9blTs)W$xvA$zk?Hac0N?=fkkR4R3j_Lx!`X>*qU?Qu5toa z{ec!sJ%nS%Ea45}_l2-Y7kzpPwEbJV))D@@T?BPD#}>e7^YSlgF}@L`Vp-|V0fFiH z3|TfxEgGm+wM5MDch>o8;+z;uuaV;Z;bhw;eIIMzGM0sEM_?HrkO+55A;SRvo4-|2 z{BzL2)h7)&m8v!OQtmmY+SSP>Al^GCur;u!EU&jzq`FXaIpcs;OBfw z3Vn2zSP+!8VN8!LgHgwX83=TEE})sus%*C2j;d^QVjd@}sRjw`M_E8i1tpk+zacb~ zRE^QGEg&alULV}E;fOK#CeKP>sxXGAwWLtpDh3o+M}JBj?pvf6&Xm%%2URh_=U;M$ zDtT|ExarkK9{4UG&rPI3$S%s&{NUV016>OqiqIet%6r)-z_e$tP%gD+yMP2y)~_hn zsyeooD8&9F*1%OFw;loYKU|V&&9mxc+U_Q4j%MheM~dn1DOdZ|`y9M@+okRSPVG^+ z@iyoCvPy#Be#c(vk5|j_zte85QhC&hOJ2z->a4_$j8&-!Dy=rVCfZf!!wAM+H5c8L zhOVwiQ^ka{SYD8%+{XRF}gm}x7m{0Jm#r4C&%MBT==bYX8UaG zy=?MT0>8G!bH@DsK!BRuT^2^ewHFi|Dow}@1DAJ<=6iXt?Fms4){tog9D*?Mqhi739@=z z6*_?dD~;5W%z#~PNhSjOhYeAst3fc(ZkRHhhRh(Bo3ik?1KX%w`YAhBp%$esQS;tL0;pllYUebR6yoB{101uSqV!Fyo2UH|xIKm>i1752` z+GdK|;!CraPi2{`?$Ugm0?HVO;s5(6o-)K?Z~JALK6SR2^(33?t2B03~0=2K3ULQlBYp-KBCeBV;nQN-T1o2Z*pj)5Z<9 zq*trD#;mL;3o4A9XL0Z&xex~4C1^Y7cRgMX>N|v2n2Aljis#!T4SMu8-E(p4yi(>| za#0(YrDPZBFHZQ>B>RIHMUnM|6kobTbJI$^51eJg1#X zA7sQq##5)4awX}c^JJ%scZkm{c?&a+@?&a&xxjPdzqZiv8tkDE0)cX-W}Fva9vfj&{Er(#s3aPf_X^$ z*ljE4SEqh6LsvG8hxv~mT&lLd7%Rp-#*d`+O75S&QAR=?*LUwH!`bA-;r@*q8H*d! zWp-iPvo{!t13g||Q*7wFF0Diow%Z(0uix=qsmq0Is%5dOfx=5;{1@4BusJEeYGp&y zi#ohTzoP}PdgUU#RlkAeV2ooO)nV|-mLW~ZZrR=sbzvJ`!e46kbS_2Llw|b>{wp(R zYvR`AYQBs~A=ytfQYdUtoF*(sr$Ja8J1qA^M~k? zQ4t%C3*uyF?@SP=*a)_(fk3aFMS4%^7gY>gl4cZM58Na z$ShP5d+-qTrUCC{EbzIFY%k1+<8xmTfa5_C$GlYMr2BoMu=JMLgk$mCe!B%FOrx4z zAb1fD%7pDg5ge;34IAdvvSO%=nJcJm8Dqd1eam`O(M#Vf#)r&dd{UxUDYe+LbSjW| z_Cyjn5AxJv_vLoDs zp0dK}kL#;cP<`{fcwV41D_lEyi<>}7jYZp4)6>gfCw=-sQb)w+DUI}a z(#os=$!#STYtA<4zSsO#%7{PZosLkhf(fR*dtTB_HiWZ4?#Ap`s;Fhd?_m{NL6~l2 z6%36m6ZMX6OaZs?*tm~UK>^nZ0YM_rBL1=tF^!*XAIgx2Yqs$ldF_Z_wgG@cO>LPu z=b*K2xQq9t7B;>2r5uw5pongj28FDLIp)m$x(J9$eW`TRnmj*mMNyC+y1JY$lH=pJMovLyT$XrjF$EIBRo=*pX> zBiUvTkAj>9Z?;Uz>%>Wog_Eit!|0VMAx+T=jD~j^90iNivvi#Ps^9yi!+a6oWB@O} z*bEw|j5V65B2MQZ@LYd~-z+~u&KORlL9*tx10Nz2RP77#(P+$Gt3#g|c%cz4aUM9L ztb%^xFDfutLM>aXv;$pVO#JJ-QxKZAt|A8lHM~Eef<11_d1;?BV7>qHpY;lD_yXHV zz16EvDZBR>+WAzS42EyjLMD1Hum4h@8=|BeU6A;!C`*oQ`^S%dO%)5V8@U;nEQN8o zs<59~zkY&&hL|SIDlfA7%6ait`y>q+(p%p$B6n#*y)^#5)#Z^)_WTgb60V}i8#Ngf zJbNBB87nsxftNUx7P0>uN*XS*CE$c9Jt8Sw>|`Z5mtlrUGpBsAXq7rg)vpdMN$|If z;Rt7cX9&53BO!UwZnN29_~&@TPUjm_YYX$l+ue|Bv(l-UJEy6zcx)fnBG{_G?7Fg7 z@p8Edase5Z|NYtgA4K{`W&U4?w5=76DRIFfPf1bT=DjnlS4`Nytzf)z({E^^gKGbf zvtD0ax~!rBs`;f7?i#&=eNOAKAjmvTB))IE)kV=U37%Zy5yT-*_>Kn!rG+T0I*4#c%`yv{<87 zxVMBu)vUGH<-2e-=$NpgNPK3pxKj!Fmuj+xM25AX_e zqt-PHzh5r-no#@i*ovogcW@3`DjrDjR7Zla^z{zAUoHBui*1bV_O4XuR3{x>ObXNw zbRB1$YRf0DBq?(e!xrc7MV1wr>9UF*Y+>Z?zxPD;Q$;nfmczM;;hgQD80u_Iw z{B6(E8fM>K@_ILb~9c}IE{KG8fp3yA;ozv)p%H-!+RIEaO`k2 zVQGF)E@IiXb7icR#g-@#2-4AqcZ7TX*E>(+yH7&77#~rvw+s~bnbNJ|MaYx`zbV!+ z!~BG8$4+$PT#6hwgGnd$|7^YnJ&`zRj9fsh8?`~isRG8@JN?#U033j>)COSme1Opz z{MFjfdu@hj-ASqRKJ9LBdulM2bDd2<0Pi?i}952qN3lsa^-zO)C~QFpXo3Foml2MY_Xc$ly@e6V8~J zF?Iswr49*H7m~he&8mc8HRMCFOy_Iq@P-{{3@dX~ ztF^tm!E-4_XZ8svA7Sto=V%Dn@9Fgm&7{l#h8znv5^lW_sw-fw3922m+=dR0^iQ(j z>&8R`d8*+9Q@Q}#YtcO_lYJv5A=BOlsYkQ!W(aKtf5|Ur&BtWZCvqwgN-QP6+GH>L z36fKLo&ogI3Q#@ditO zRFEr(p!!A0aS)ZD=3hK@qj7^7e_obGbfp`m`{OewlcxetLcU@ebM1#T0+nHoV<3svi*|Z$^L}&Emn;4x>@3)HY^AZWcv4- zZHl1E4m3|;amxR(y-%o?uR>ar-{$}1QBAZyw8Ej&yFZw+rp(@W{4r>*oYOZp1Hcu; z+Pf(FN(<)vH9_=d&BRRfLh74B>70npDfv@>1_1jwBvC$OB|ILae|EZ6UPAW4yP3IDKPOp&78?$kx6dJ~E3EsLX#3ImS6X4F)SW;TDm(C? zzJJQ*WT%`E-bEw?4A9XYiQfOf(vDt74=xj-mSjQ5FKd6jm4l2To;n>k7Wq9AJ0B7% z+D?wvDP-*?;ouGNP=TF`qPGi0kMMog)&qz%b_JM&cNJ+XA*?KsG;rC&ag`A>uSFkY z3VP^P_r_I9G*-sWAGuz2vgZyv;V!#r9@}NvReJO~CC1mNOMP-nG90fBVCnb!HayJb zMS}^J(5_q`HKsyZJR?j=#fH3`zB&e?#+FUL- zkyHE1CiGCH7vTQU4OZBIiS5n#`&TyhO&q8umM;iH$-HRdP)3j?rg5fh~BrEp&3fYR~mmaM{-!qXOU3CpSr3}d*vJC!d{JqN6CJFAv@gM`YQa2Mcd%n z15)hWdG1*1cgx1Epkc#JqAndys)votf6w zTnfA=qsnGF-S+$jpABaBWbaa}3Z>c;9&T-0AhpwGgY1L-!IRI?+u5b4xn&B=Ci4OM zCF)o!9P=CP-|r!we;ubTgb>7b-y}|FK+7!j7r4xE+@LFG7nzo&G-)`2St7WCk_k` zT_}ywrG`mOF3tf2Jp!#L^*yYl$gWTHVUIfnd$esOD&)K4Kok4-)>3);ISp3DmaPF3 znHzdJZW419)#S~XuroFf|Hp}>~vP2b-{%H ze@P+wzP-MfF&&|sFMCJeCH#vaTGnJGsiN7kX5EpCi4ZGCHhsZeCg0UZGGnB$2~cSX z0Pn!O1&=UgxM^8w3AhJmP!z}pxZ1!d}6{p7B z1euVpkWPd;#8O3MiREm|*AYylSy3C`wKVWM__u9_vBHn8&|17v+3!dBaP)HHc)k@f z#Y`V~`blP-{NAr)bF!{FFmVLwlQ+DGRd^lL0 zgU`(f8HMtg)udXAAz@y#2fJ0Sn6B%eIq*TV5HbDw7cn?$JQhU}OB%U)r}2^4mSvS7 z;x6{x`5&ZyvL@9B`(Ga3L6xH|AXlDv5>l{&PT>aiO)!8!()VBk21Ft80L-1KQZT`VP|ujtX7UOJc$l z_&5nFatO)~WQRi<(jsSKCtvQ{koC?6+m5j zc8r7li+}AN*>(DNyb!n3{?g~qF+&4=*gplA$P8fp*QP;a`H!xVcdl9sy#slj(ulsd z2y}auX@~&SR&u*wI|5AfOXe5It9vXhSQ0W!zy~b+0O!bDqx@zSmXL0J9m>g$sVcv8 zMx_Bf20mBUITebDQxoY0ql8VqS*n^2cp*L1ZCrg%q6pl3pCYJo$Tocub%B0wZe=BI zTU5MEaM5|tF@<;z1s0$OSHAtZ&1zp@R~148%-3b%?ME+|op{~{zytWs#{R(Rq&By_FrzOG?Ixe?k6IJJ`Cp*^|F_&cTCA?F)j z5>aOl5Swkp(_0LEiB|so@4?Vu-H@%l)!u)@R%$qTGH)p&=aF+4Xw)?H*ix`&^r|te zH@)kn)<*+Yr7B}1#n_Gqj`QuM1OsEoB85{z#`Hek0^}=uzjX@b^pWJ7hEcRV1PH)b zrft#n{Px}M0o^6a#PygVo`g$5R`(@F{@qcUB9E2mfQ}f2&gqsMb4e?5sIy&BDM$1m zo<{*wLb8a~tfM=TbtXpf3V^z3=TjaI6}`>DoAVKjTp5LJ$39UrQvBs4T|+%KpZZdY zqL>-ti@?`6AqA1nN-QEPQ{WljciL;qp9OEq3jHKiZsDsM+J*#D-QsE|*Jtz#JFxqI zDH}EaDjR2O{}*K=kncy?ScUi#+$VP=&N_PtSJs}KQ3wOuKMiea7^=pl^YOSkU*geU zEtsv`(j4m1QI6*6K}<}gU=)E_D{8*`b(1kpJo@UH78=n!?Y6^C#(s=^fkCoR?4hJo zYpUN7U~0W$7_wrGILRTxO^yqM0;10%AUK#LIdZ3n2kAqGLkP~aSNsH??5^iRJ%6F? zLI*aDA4c>UEJV*B48YkiTphOopfVR5N}KcDW^XdV;fL4cbR98#;~kPv>3Xq= z_|sqHBJq;Gfmn@G{>e%@HZ!zUIM-p9Ph;6xu!1UlyRu}U5o6U&U}>=^b;8p=NWQD% zbYDrDcOD?y4t^_d=8CEGM+xqnt`80UKT{=Pe`~VgZ(h1Zxsi17kEz0R{tVVT=~pIz z)<`A2UODhPc3|Pwp@ho36Srm8HMw}%>Rtu*gYdcnm1ttiyWL|nsQSC`)#?9f+b%5$8NMYyZ_j%*H3$_njd$bev_Xao; zZP-2k-!!~Hl!&&KDee}M`Cfz&s;WAY3_|8>z}oh`sEhY4_}?GrSbJ?SE%%oxD816u zc0t5s6fS$$p7)>8ns3fjr?3B_uWqCYUN zCy`+UO-fj;|DoU&YgvD7ie>|krVxvszWW@iSn$Ooy>q)iq@Y9##KByU_9&|53ig3g zNNIvP1bW`z)&-fRqR>hW(O@UuA@{Ebj^dRwHst=>|GqFl?dhIc>b;a2YTR^zMg2d{)fG%WzOM<=JT z%7rzEI4QbGY2Y^O%HNgCq$yEVQgGV z)2Mxn{}y4Z;#e)ZLlAG zCT&-_RlD2?VzY7|{P*e!1ncQa2udptd0kG(X7Tc>wi1T&3|@leX843&F4$pVD}!zE zK@9N#MX>3&r$0WA-FBCG9`tqU?rqCI(u;+azNR7yg6)g!#RHB$^@T*VD`T{&jJ)7GLqbi7!m%#sx58 zIlwGSRc`iYB5rHERiGl_kl*kqSU%kcyt~xB-c3Ad_>_MMr5_7{y}EMVK|eDN@-_(U zwxLJv2Ej4@D>T!dR6hwFW(H`lx~{Dhtr{|mJ7`AjeWn-pet#oQ@k4%4mFM!&=hk1f zrrl}<$`G@^6F6uEpTe+fhVx6abmKk$cs9~hiO{E+?ka&Dj*=5YiN}q}0BUMgyv1e5pR0Tp)Ah%@$s{4*)YN%U3&w^?9;F(Dh!Sj(%sSVl*9 z`pIZ$=m{eG1!0{yk0bBlR6D<_uB*7HZI7{u?<=BLD=T-Yt|5o&(DPr#*J7k1@GT$wFy|Kp_Ua_J@@4Ex5K;R$_2nK?g z?nD2hW44I;Mf!4W1i2E;Op8T~3@PlX0n!VX@cHpt@|ELrTDQo;EZ-GF$XSK(p+r#y z{&>p|>0*hyK7EV41~;9v|Bd_c@~QCYlgGuu`m=zk1DpMQ^YH&pSWajAJnzH#Kx99) z%{GH>kd6EA(B7Le1pG0-GT|=({ z*I9K=1|Vq%Y%6(e0*Hl8_)0W)Z;FcwZ6xBUV}zi1%WLNx?p~$~UX|gAvr;Ge4Y3Tn zwf+qZF%iZvGlTxTO4vC*t9>!PRzy)xefx{8hD8&2um>OL%#zG!x+Y&>|R;rBFNK{ zv-;h##4wGL(*sPw1=hdeu6K|hZcQsFgTr|R|6Yu5_@vEYdVAn?fBH{L2-Fq+F;?%gm z@m$0Dco}<3X(XQkI26ZwIZt{kjHsiGGhFlJ0%+7~_<93bnj(2s;*(lmU9}w}lAh?G zgz9-1z73o(VoCSPLw*adkaLGml%z|?;xboNal;V5tqXBT~q5->)* zkS5020Bzw+|3J(p?s~pO?KNYuy@Q$s$`E)T?Pv`Zs zj@tTQ6iOaR@=VG=Xf!&xIW0OWYQlAN-8=Cp*MO?>_JwwY@}dpT-%E_mnZm4b8h(^m z66xrwMXF;)^1Y{|u1Qqslo9%b7g0!=n#|skn&3d>JkemwV(uBH3_z2j+7zTF$04Ow z-cF8~o{|mctVZ)YfqT1<4twSPCFO$9q`fWiG0Jg}qm<1o5$M9{i;Gt?IK%-~`=wvW z8K>4iSn9)9hjI1Vf}&G*-Xkgrl>wT8XT@b4pt^{oj&WT^(XHao?c-pq;hF%ZHY^CI zM6`h9g!PHNlY@<9DMu#n3v*((^05!rG;~TZA2d3C9};RiyuWJWd2CRXO|Y`l(2FIp zVQ4YUQo~J_s>1Ff^qx;98tgeG!pOh`D5mP40BmIqpEA&W<9s)m-T3~ccONX~_m|L( zKsM!M)gSv>GGN)+i6E&2+{c5Ps)gMA zu7riG0@Jq&=H43C%bMC{zq#5t{Y63%f%}m;KMd!JvcZ=Y zaPTVv)aF9Wiw(16W)qpFHr#K?6vHEZx30jBDO0*u*p$+_>;?<*+o@VSY@W&?K3xKP zeUUizlS6El*+azW|;$obHr1HIJH|<@Yn&K@KS|LK13~Zca+xnoh^&=uNXR5+91} zR!ZEShR0P!C6FXB@db?9Qxy-|Mx`*p;LUp4L$JOV+?5z6FBmg5l$>%=m+Cm}s8YikUE8&J=^Y;Zo(hiGdC2=H z)zvC7t!I~Ui!3i9W2IW%QzyL#T7{hviKbgZXF6j-&( z^>_V)zga%szh9f(nkL@}8@`yJj`1d)DTZM*I1&g;xs*|d#`OfXn3OIW2Z(jtX_TO| z*#9U+oTYw;;Gtcsy z&K1G6dOtq_J$w)S3bqbat(MsUP7xaGALHZy6`xns5E~$-RMDQC3CqQ|3zppdGo5jm z>)F;b7a7bin*3f%mSp@F#_b-{W%hZ_O0x(wD~XnxaVAsCbJGdUBNSUHwW=vZUBn=! ziBObn@(sginTcs}c+cZ7&X)ng^<)(evenp;)Vk{S1(^6(InYu2cmP)gB)%qmf@7UzN$C*ukKYgZ-6ouCRjC_RgA`)a|3t4RMg(JO`OQ(%O_6eLVFBl`g95iW_zXf zO4vme9y#PmACK=*C>{)kbkWe2=EhH}ek{{FvO3RaG$pSppAU`}tlmeKZH5*{hMk=I zn4X?oKXZi&hzXAP-$Pj)i6~yn;GgHtp(#jjwEPA@WT>GYT&kJUq6q>(uLZwmF?7ic zM8)Q+q`gM_=0l+s4N3MStJ1q0EtFX;%}?z!g=OrigVCk%0ha&}2Yhg#nN}(kF0tbX zGFXw_W83-z^jZ&eHYaj&pm|YsO>5f}9NDq&>F>2y!23%Q;J;3yPj|bWDE*~iM8k)! z1S&D2oVbte?hwG$9?Fi6PTsOBZ!#HSVrN5oKaSsWd4~6E2dWtYBd1AD6AakqwJt94 zQ`RLCyo@2f>7Sm>@JMw~DGp~REfAX}5E(az%J{I!W+H>tc9dBusCrkMMYxIE!_L)Z zGAI8?C`r%{MAgSeGV@blhN;=N_nP$X@6G)$iOp~B^LFPWg(jKNc4bcy6+?cd=j9o{ z3SM&_R%3xH_tbr|w7%k~vD_S2o=F$*rejW3-bngL`Dzw4X#;|O5hh|7na;WVH9Ec6 zEnxd|vOLg|0*j(8{%%6(H-VG_u~xD>Irjh$SR0WRvtU13AV)gfn}9KqgE;oL;I9&` zb|0UQFCkmjth-R=#3Y)Ox}E)y^n`70a)ajpBgW6?$3n;cq%Tgg7WUMJLEg?rf-I4Q zq%ZC~M+dYVS$7VIq9nbFOYRjsU@LI5dIAMR3Z!CrQp!)eB>%X>jaop~>QVBfB`$?E zi`%3dcgqti2crZd?1XGZ7b$HJ#f+d+*qeDpP*F$I#PZETNVH!+Rkqc{n1j#c zM<+9&PL;JevYiqS*(pAZgL}I?e}TMeU>__dTl`rLq<5dMP74jbSgAU7x}L|My`Um^Lp#q6h81U6>M6;UFa0ZFu^4Zf}) z^#XdPN@E5`vIW9IBjCw*YG7s5bhw#O>KKO}$Ec(GB)Wc;=a7k}PATcSO4u)Pk_ora za@~vALO7zbj`O``cDjkh`Hp@_$2_tQ!{XQO)JkE$(Il>%D26b!+7*s7^IqnGzfhVl zQ7}}~ThhoAtTjp*rCE;|raiZ~C?_!xmm)R}L3S|DK2ImAw2d~@@?0k>&5b&1P0+o1 ztB)1+hEYlCj`X7)=c{CC&lNI|@vRUD5uf~;BB%d%Dcz z9rgr+4M_gW+g&gib)uk`8RakfU(&XTgDT5QIS*E4yhH#Byd%Zp_K?{=hKx(k-QgzPi2s?k?v zu}K01)$~pLRtFg=vuVc@8!QM++GZ`hV0#cu)XQWmJkTxm?_q+BOHj_Ms`8|SM_%1U z1WD6Vn6}$st+^6S`_?&cu=}%*1(rqFg0_hG?uFH4a>QlAncU+wE+GLlX`0Pr-=Cs5 ze|GQ4%)YQmJogbJkRu;e-~7rn?qD2#JAqTw8S=M^;BH6<3GVzZ*%{)xzJ|@3HY?R*E3z6-ZZqj zKi3cNSk=gAoX?>wsehS8uoIZ3mnS|o5pG>D{TA#vQVY$UPc0rO68~(SCF+{u(>I&) zZ{6S;ZAi1=s9%hj@L0)MwKJMrRLCo^vN!jvIm5xMsD(T)G&l)NkO2VkHP^bQNSm$A zEr^;gC7RC>HP5U}5HvyEncuX`^TU2SVp@-Lg`+>bL2X8AxeyUHPHk^=KxUb=%{FG4 zG;?(bhB%oeUkNs4m^G}pqARa;dm+64)QW|PE4gdp(QtTb{*qrw1;+22SF0;*H2YPy z@dkC=a7Z8b88h??hf&RUe6gzfcav#E&qCS-HSRLBC_XSTq4mNS^iB5%{<=>>{2LE{ zr(OdOKM!*j-WKWbQfoP{ugsq-#QiHzf6ot_!uMyNcY40Pxj%J_ec~(yikJEieRTY~ zG6B5wao#U3Jc=}ei~-UAoQ?07G(NZN8v%zQIC6g=9pZ=1S(&@QMbZ3{*~GDvB5!Ff z@^@SxAo0}xF*CIDisvMdn$VgxZ2-y=*1CZ>(O@5vW#{i1sbK;0yfIBMjX8 z>s{e3oZ#6%Ml4VI8WIuY&tsO)jg-Yh9=bR?GTQfMn>ZR7=x8NoBag$o#%t<3tiOhM*ZUi`aR;aJv6EK zXkYRG$tKZwpv^vZG@E_e0jdDdaF3Uf&tHQ$9==;w9NywnVlDY5P_D6=Ke)bQ%!KQe zQu3SXw_X$sN8fh-PyOFDgY{MGL~7^)U?bU05(RknIUwW|2r*3RSQ<<(HZCQs5*W3WKpJB`{c$cP|FSy>u1IYq zW6w}+c~sD@d62$5zV&KE6}PUqVH*6j0F}EZvP7HF!*`&x*ojtGxs?%A-eCxbY_G$O zntIqLql+JRJ)oFve92$t6he!~XFX-b?PY81i}KdzVP>m|B%7nH z5Ybf$ytB&eM=5XRF}S&g`2rf#FYQwpWp7VYY5}J?gj=+=KixJ(z&cj4m%=Qwu%T!y zCuCEJ-Pj;~zfF2|h@q~SziS)dr7oepOPWEo8hQ(XiI{!CaVTY8a2bNb#!kzEZ$kL} zlExHaVpq29or#(68{CS6?WI3ByS`j!IviD|Rh$mN$j_}^cv?d*Fg(jJ--$U*1>G0e zcSn7+E!WN|&06T)z&Yw6ZP&>X`i2LK-oF78a2G!tn`3R{&tC|_co*d$;iIb=etpwt zj$RF9k3ULJ3i74NZjV-Gy3#to(yU#X?xF&9z_xE~>|4k{kl8_#5OKqe>ocOgXphBg zNdnMs$iLg@<`%rAjGr>^pd)|pf9>`v{?x#!2;wy?B~Y>$V`ym$yYhhaXL9D}Z2??x z5E-iKO=g@f{(XsEevet9Zno-tX|H^s0jb}84ks!qI`=sAA4wlnaM~wD{e2Zfw z+o1PcZ8P$l!bn`_e#g(B|Fv%@9$^QN| zh3n(_S#JEr{=Cz@=5tx#_7>grRle-ApVwtG7M-qA_mY0r!BV%qKddlbJA*l;<0Q6G_T*rIqVq0W zdQIBTF=qQ7Pq{wLGMa!4!|QW<$f+Ha&b~T`CQ5OzHe~h&QIx8+TN_VMK>`Rx*L+N+L%So z*e5!C*P{t6M(UPWE#7uxlBb1ZF&-PX5f`wLuvIp8CR>_C+GYJN&|SADnBH(r8x|d% z0u@PeUv=Xq??n&Hd>gM>M>1I-vP)lFoX?jnOJD1vbBe?=81Z}njqbrz%q?M7Z^1SV z{FXcQ%u*S#d~uHidwr%zak`)iM9G_q3Swx@IUWiQ$&o)_P(j5i* z3$;v~g20p!iKE&gFk?$MWE!n<=BQx|m%3vS$~(x6`rC9z{?fr@t=_*ICnNweVOzbG37@*QE)9t4bRP`zX| zo-GBXC~*$d<0Rp09B7Huew2$3Z<3v@r6b3QJc#y5Y%!FAplAx)rrK{Di;pv79GHu9 zAW>So*wr}LjPomX^sWz-!l{Kg*VhN0%8M&n`zDF(` zDpI5O+^&+S*q*tMJ&2oz2R*8a%y)w1tjd|ltevLS!xFlt;@Et^t5OXC{lG+n8XcNh z9n-%$+(mq}b}a=F&PUGD749LyFsIW=h77-*N)!^fKAmW=8;c-~#Xkp){#`2!7vSl8 zT6Q47L%QISDxK&sBGMqEH8Lokk7;_ZoAL+s)VJt|)dY-bTu;ok)m|0mzA2N+rM$#e zB8XlBqBm8UJyKwj{@{T#R=iPH_qYO8B+KClGy?^q6FmmbgZgtx zstqNNg^L+;&PQLWM$Or!j`%7t<3fM>qxc^rR!mh)Ksz7)kZU&^JjB=gC5Fc$vI9ry zlp&_3F$N@7RS2d-nQ)nIFX(crQi7J6)*lKqz&TMMuw|_hVK;|FyVH;}UjoQx0Q+5< zKu&r4QAQpr$09{O#|vaMNn%TIvlyg4U2s|q(=UN1fqag>f4F3Z7OiV&^}zx4VWSI& z@?Sl*mx5sSOI-KS5nn%X-$8+W=Zt|78dduZO&D4~3>-$EY4K0m9m@oE4xSg7POB$| z*m+Ug7wSxVKpli`+1vVdB2l#y=dLxpW6we1DXx9Ay`yBAh5%;6KCDj(pA+mT&yh9% z++ulbIVzqTY(vv|B>WfI@7H9Zf>&|h z0d?ymA8=IUiv8+!vQ_bM^RM&+Nd!Yy#=&?t{mitMNvvSx6ReU{&t>96ByJ-{YfI*hVCB^EK%sLDKUb|nmg*v902t@Xz6Xgb_Po>JkT*YpYL&MYqg%^jwSVeDJ~(hCbG*~M|KH?UKR zs1|W>rOQ3jo!4oaCB+V0@0stKQxE*(OdKuo#$oN3Ao#7#9{i5tCINhDHONtuE5YWI zKO(s?A{V2O8GnAhc?>}+ATq5_)p7~48R{4>&;1G)`QC^iG?T(8*qCTR8& zZRy$~+t_*T_c=a&C-*ShqSw%M*0hGLn9et_&+X-8q1_|HFCxe`5m>{JFsUZ#!t0m} zUE+Xq$+~%!G7N%@GN+V+#ql4CaCYshb8j;YN_fT7j7(iZV(MQD(>ft4`)q+BrVU889mAk9|3~yM|qFoXyrMN`M&(ocbrvPN^qWgVF!fOKkv*{q+ipW?)!B7_!zK#K=r}>+#zTxL@5oLx{eo zU2cxkB#Sx2XL{d(>o3m_pgYnEaiPbGN~pTbIo6ygKm@0T)`EdDj)BM}zNI@5#hqrU zWa;vQ7p#0)80r(g2b>lyKJwK8fIqPhf1TRoJvQld$p-_P`KH;&zzi0s)@@|TjWc(7 za0Teiy8A{9vJzB$1iM4~EU#pJ38y1H$$^E%0*%0&PUSq83qrIlIU05G{nCf=-*K`9 z93|pNsXG0r$~U;~4)kz0t&1DT5JqKu&?-eN+5uBQp;J^D;XOZMMr!%mTx#HewS*ti zN|X)uddC`IlD*B?+r)li_|i79xPl#dS~vd9a-FWnU?N6rg_ZPsyDJjh#eeX2S~(ou@+sGp z%pnFV9RFGizM*37E26bcG+gw`T_w)7!+z^!HrL>>wG=kBKHBHvyeIBW!;~=jTmq(b7my!H1!o5Jid$%TPSa z?t66wP%^^SB3&u81YSx8gt@5vpL#u^@sZ@S8!bsQ*v<0F*}x2ESA&s8f2a7q1jVYP zA+R_9j}=@1hH(*xIf}m^_It_sh?ux8r#ce-7Ph~vrD>LlVqqTP#2n60qsPSw@Tl=e zsg)Q%DL7nZ$v%5z=k&m7@UP-wvl?ZwF1rCNDfz?@h~^RDnkHuFqheDvoC;7Nb^pk% z6VI@ow-%09ulmz-?2-0Rk3yxjf(?xNBl}7hMTI9&nl)F`yw-L?li<#5X$k|xMU5wo z^V8Bdh{k)yN(i{s&%SZv^+K~X%D+|CRa3;3e{IpduZ;t^P$l5ovso4 zkzMU{{5qqJyc!;8|>n9xc@8H%l;p^ z9<7z`*?Mz^t(+%+fGa}(RD0XTH#`2nd~h}+ z4dtVDEuPAPfltNylf9J9@*C2sk++ZNUd1~AI}y|H+`%kM?B6*)|4U_1Ox^}#Z+IuY)kA%{36K8k1HL4KZ& zLz+b{f1S8+*FR_2cvN_vfBEytXOnonK}G;ua>l-3vi|Vl`4bbm^z6$|W6W;j?<&c9 zA)@Pqwg5~cn{N!4C|eQmJ=SEn+dDKX&(_XX{lG(Z;>*S2pMebtO3{T7s7LNChb6>G{ND zHQ{LFZm6N!Tow~svO0lO@HawI@*Az7nwwFz4!43375DNEFc~Lj^%MLXZ>h3Yny69( z?SBA`VZf$vnzuU~J;PGmV zs=c#D!O~!B33oky?HL+5_Jr1I_u~M!e*kvJZR{uBF^M%LNq(jfB+8tN2&|5VanMmd zH@*2c?Gt9Rurf(qii2AG6(`tN0;hofOEs|-qOCdKJVRuf`> znS3#RrvYyEzO~GA{c-~>!ZFv%mJa#QJAZk6et+G1mh;eZf#eIprLkH^{g&+fm?l5M zg=0a$Yr>hgz5^TbL9_NRL9{PHufd|Fl8$ofisgzktd!Z<(Yg{eeo-Hq9jUonkfEy1 zk_so&?Snoci#F@sB)xr$)n4E{wMc8gBOJ<26|1vE#^Od30S6$6k&>Ir3EM z)S%-=n(~>MhHjicV3SmwwQ*G?-`2N#r`b`eid7d7*K;ui6i%mJ<(}{x)Hq|=Fh!d# z*lvAc2)Q}KRXIZ05LxO3hX-f+I@o&a;yyYSnUxnlD#9#cS{e+(&g zWFYN6SGD6wGgK(@p9f${0*c#r6xQQK+ldL?q#%q)yrm6t_y7%o-7*4BPx<>Yy% z{wmfD>(&b@F!fJA2{lnuttPYZAZJ0ERODC#xm$(2Q_gJ%MIeQ{=iSw4tiHaO8AWYf zF3k|q{6V=Q@&vzl*RG$2ibkMo<`?CL&)r-ot z6}bOes&Sr-B6;__Nc{K9j0pHW8~lPW3`|$LZ#i22ZbP0_JP@O~FJxr@i1k2ZAT2I- z^0GDc-z?&%KOrOf6;pY2#DBf&!IrmDTZ$PTEK=rDbP4xKl04YD$_Y!4Pt@BOmvB+& zvos=(|6-XTlw^-;LA10VM+E*jDAG|7zzuuXwNxI*JR77H z+*8wR>gs1Gk1G92o;1e2{LEnwg+4`#v4##K?QPG9sr&U~RI43D$Nyid&)c?iqZz5H z(59HKX{MH%S*F&_c{s+Aq@K!c=Q486gze1*d^n#R!uOtch7_9FpHZk^B9oa$7tdi_ zSnvZSEl9?2?J~W}?O@>D((?Iq4zFZ}EMQbbe0Bs`zRGa^LD{DMyx+bSo^T`lE_Ao9 zq;a>NaK^*sq6DDiFp2%Il$<{TicOZBc0)v;2O#u|UI7@nU+E8KXQUmEo!U|pZ|?ty z^^jd#Z&Wtu1s&7O}G$ARJ$MUX@_Y#uP40k<8xxw27`Yh5^*B zw>MRIiK>Nx8AZa+lZVqv&IC8Ojmj~MsRFb!n}3euK~`894ef4-$IB;}nVYaCAo_kl zz!WJw*Cf@>|D*qPHfjAY7EUDnSRZaCtgmjturn@pEcthG6gb_!YOeAJVY*I6=Z4NE zL=p=kPODS90&Asb^iA{LUBBiZ|36TiXqW>8oTp*W@;C<>1i^MOE>_?_OsdKKI24%l z1zY~8K>aqnVsX#XL=XIu+c=_c9)4ZKI711U%2D_N z9u`+;)KF@h>PZq7Abd&Nzu5OWzG;rwJ8?hCRc~<;oIfN|KUzBLP70Ew-5=MVmnY89 zqG|0amlKuvP2|;*^nQnxwG7uxgn<)eJlNNH{FOgifv#r*>}SRKJ0Cr*9&r@Hc2hxx zR22S3yo$W-Z4|4ibE>4X>@v;P9vvX5vTM?L#Z6j44w^fpbM4w*(b7K-*;|^ONYFvU zMV2fi`Huco!!r)OWNF*}I)+vI2ZsKNOMX-tQR*&U>?>N{Su**n%jZpn5 zDRj=IW5i7+&@8y_kf@P%3_r_k3xw&8Z^@#x4M=_cjRv^RQ6M#CN9EY_+v(a7d|6Pj zC0MU1$({e=Rf<(=Im+o$3|;Es1ExyH5_L`kMy2LD6!KM_@j$45_dzhhf`AjlrkzPF z3+9%FD(dqr39-!zJdS)4E*AEB_}5>}L**x=7ot$a@A8%~Jr%fZP{ z`NL6rc~Ou8_kMCB>{2p4LqK;51k{vOO>a{&oht@?@4ZKB z6RUfHW1od)F|+BoeDV8_pdhdLf z@fx6$QT!{r3;p-0CN5GEg9ELo>%$S6tg={7t_xz2b>PggwQRr6ZfP>GbU>Sqb|daw z5~p%$i6kL617J&W%z4Q-_-45zvAz7QzPa#N&e1%>u-%I*G^u|3A4CJzUaoHJ%+iQr z?SE(P8Nl34~6_}r!NIOYb!trzlCZy*ifJgBi4)6C58y= zjdf9>Qhr)+Tq9y8v2S9X8JDL?&Y<`&EH_wOqUZQ8h*5%XQ&-C?A=mC^U`QM%R*=t5 z;h1aEZ0Fcmt$Ot1;As>D78Gydqv9|TMg&OK?qU`M4zK}j7uXsO0B`@tsW&F6wssB2 zAJw0WSyY39ebEks)wq}5H?usAd?_dy$_mp!s*s_3)(&uiv}Iq1$_Sk_$jTXr1dp zX3|_TX|?}QD?)Irqc|(hL%59+QFT<8&#z>ow_Hpqm(r_tn>Pa}RXP4DRWmpvIV##d zo!2;tAW5g4{SAz*5!C*$k8CoitRk8qWEnnnI2S&3N~*zys3^f#1Ehma-W!B^ zNLt(PCBP7REMFpHHMG@{AF*>J91kx7#E?QV_tqwTFwPGTzviz=Mbq$}MoHC`Bp#fb|Gd*Om*Gd-TQ;ehTw9?Oi>0AJo`?XAs6Im!DzLYo zETU_^yoth6NrsZfn5wl>(6`p@Y*S)YbHV4XVae^`e>MTXH*3CLWBroCeK>GPu&3L$ zRo`?_iRHIL^;CX7aWivX`W{e0iyk^?&kNlY-@IHtx0^^=J1^ftdhA54a@kH~GKBmG zw25eJK3!RMc`d37!cvd2lVa^&aR&u05L~?P;t-Yi%6jWtoyI0vDp|Q=!>}k~=E%iD zV?k^VtCdv~Os|KZYeI#}$|b~D?Hk2fW(Qxn2@C2>{KSK_=_xp-*EL0*O}Zc9{Vc62 z&W+`@Lrzx31w zNIUL9xkABh?fznL{q%211JS|~=ZhrB|2p-iWLjNiD)c6o;WoC4PV$5&stjH~266l;>@ML)BBM+^ z2skJ1ZbA0L)kB3AoRLDK$rA98ISB~<9&Uu5cSAa#^*#`F-lyGoGxrnrJk17RwU`(s z;B{w~2;`UD6K>+EUl+I9{pc&0SS4cujfv{uduZj1V_0Jvf2tf$-0Ykza=)Zo>HnO2 zlN)Ec=prpcv(9xf8mDH4|IqTbEL~Yz^V6t&eY2ohGQr}@L2^y z@0&!*RRx1M4`Ql=RL$LhylTveDl*sPrzuX0Jy$2vdJy}z#8#vg9?h=Qi(n!Syw>UE z=Ll0;zEV>={v>*o7Mr;N-dpka{37XyY)=aLD}}DrWAu8!#1+43{ekJKwDTFdv^3K*2^lD7#W5n7z918Oc97cNMTxAzenMo# zQR%}`n{qK@L12M*DqXeGlMNo1cFl>>1xWj@aG^M+K=r0Pw8=Wz) zBFS_%^^Q0T$5lX*tf5MFZjE1|48&9nBW)*WBudHn)^^{0<66@Z&&^T^feELJa_}qK z{_m}{A)@u)t@O3FwjJ%+;#@DBSWt5hjEyqR1gfvpc6=SDnJAH#N_rtAe?OGL6B}do!%Z>I>dN{YUNwvWVn7z7h0sXjZFv=K14K-j2Ymh zVa72c$}mC@=8y;Iz6sR71rOM{zm@r7o}VtIg?@14bzoNYvPl6;TyQW`YVO&CZkmb3 zsX)pqKuLNt9)Z+ePq#v;@sn#0*xj_eCDS;!D=l zvm$qwG?Q0OU&hRlZ5>MbLrY7WH#0eYQ!09Pm7QMe@%uh7%T%wsdpVtSbZjv@lV%a0cKsX~yynG9xf8tUt<>E#lh1wD04-BEfy) z96mQoCNf!<(6~1476W+~n^D!En_Oon@;-3M0^LG61tOlgG2YEsdV#4$x>tv~v~-~r z9;{P98Y3-*>g(Jevo{q|My+X}3L!M68#0^j-bv~lXfG3Mwp@~P7G?eSxNbT{^Y>KE z5OH*U?s@o{76K;vlZoV3fm?PQ4YX=6h>n|@O4oR)guvugoUa^CqS!-M4WjCItAthD zx2uFR&AT~w7oZ9lcJOEO2r8=nx%Q-=lc=>P-pxDf7-JG72Nffm*5p?QG(i|s#cg;@ z!K)aJrmsz0QkMSIl#nk!JoD>8t|5{h!U(m)ma{srfU zSU{`?Ir@?XJiy$?5?v1T2(`jVV?v?U>@l3ur_)1-Xhnh77@oGse(@H7y)n({qxVl| zmRrEySPR$wBp0igdbyf?*$lg#$O61SaN$#)SFJ)K-;RwHR>0z`=V86ec|0f2WQt#O ziPod4=j|F@)8Gc?)Bj8>Nz3v2cuZj$d~*@TsFBA;xdy(Gm_I#TwiPs(PR6*k-h`aS z^-Bsp#R!G7PWBpFI|w{t@4}*mt!QBeSh=n;_ACl`;}dFjRZVO)Df55zk1)B*b@m7)bPOHOb&{r&WQbt=HXB7u-2)MIORT0pq$s^95uqS=6*L*NNyTGp|)?Av4 zBVcADRcwI`ol%xZxos*NkeR3JCfz|PFULVb!F^z@u4D;dkn0F7;p=(9FnlrL$c9X= z{+j-~<3*RW$G}xWy`bga1lbq+UW{y}l9HTtiv>3DcgS0hM0I5!TMHQSW@iK+vvgqm zpwr9tQ#Cl7svr@g+@H^XGk>YxnR<`y`WgNUy;OF={|DqV+2jIll7V;ulP=`;51;p! zP#a-Z2Lh6js99I`rK*qY`bw}qH&wcQ@8Dy1nk!l;j-`wKevxk>Roa#3hNUVC6;R`- zEL2+?KA&%KUue53K5uI{uipPzSb2Xa7jjhLs_Y?~rbkmRvxO6SR#W!jFn^iyx;_~z z)1YT1cwc2kxwNyR^_huXwRti?9+h*k@ClCWoQ#BAOlr$;avN?F%obQ-|V8AV+ZS@ZEA(@b5!@6Ik9zR=L)Y7t~^QqT@~4cy{o6-Z`IUw)@_GTtHTkPs^x5LNNR zGnAwXRYhbP(Ql33T%$A~Ov(z{x2*eB4}TIDyk0dr@El|h))^kY^PuB!50sgI_rees z-UeR)A2}$=7UanUZPV)-FRB8XC}qqyO@h`z_n%?r#@gRuW-mb`SsCzzw&)0iIWzX+ zStx0vo<5(RoU#eQ9b|e3SJ$*X+g=NJSN`o~V-|`43Xt&OiJ0rWgPRPQ_XvGTk^|T~ zJ7Aj`eXNH43{XwS05$WiFXF}e)q8%MV&>6z3z*d%GYK(?hrQ-2myywbeg$u2w2rXV zpJ?RY8np*U}?l@oVs3Cv+XCQ$41XR5h(pNik5`GeZp0@h#FSi$V zfz=36@AP2y_k_<`POO*MCNN>cLY6S?1raR4F zj6W13&&6X&0&F|UE-{YaWrKZ=`8I7O=&^-=UF)#LVKc@<7LNTkFwgH1c14ydH%<## zLFT{!QEzAgg?X`A8eKMuds-w0M&_c5(7ru>m0MZ83^HB86mlT>0y3F0`*GaH&1*H0 z{%c|dBx@5_Eb@5qbEHGL#x;b@zx<2j7vCz~AUGK#dDY-mogSOuTu;CVaMufP#oj$hJgcT)q^ZvCUCE7o`6-WzZ&O|q%C zR*Sg@TV)`wYWEW~^5mh^xSg8<4g}bM1Hn*~4iq3o-mm_@Q{>0Aue>LrJ;HnH*PRxr z&YRhjK+Ja5VK#472hWp9?n}nNs-%&EyKauc4d}9SwzschLm49&aV%L+v^% z&a3S)321A-Jz8UKL)fA}e3yotFv9t3NHQET##Mtr6j|}_Wik@h2`B|3w5_eDlVQ{! zzso?NIE?oaWMx-My(8PJ(kM%wgGpCT`{L%ws|d2RI1KIMfaahU#kA^)#=NG(sm3&V zR@#RPvhL-!e{PK2f{VBo=LVP-++~yQbQIlh^zsW(Gj=8u@!^7?8Y@S12JIW&SU@Yf{C3=dN@A$z8Q|{yTR? zV*Z=EHfnh(U0PW&_g5IPoeep#K7ih%79UYdE-NKJSP=ORBvpy2x8F6hsBDn@7qMVsGHy-n7g!{RR7 zUh@<4RbthT4M%azA7d4v$>o-~(|<(bOauEUtt{l5p@V(>TDD{t=WmoDY|zfBV67s% z4bN?8+Af)trVJXP3jZ z@}n^2hhT_q=e~U$UL(Bv5o!=qkf2%ajXR~(5(Q*SZL}^Em|=neghMpcK@+Oc6P$LQ zp4ea|NaS)>uZ^HKIvh-5Wn4kR2-6{@LTVY&8*ADzc{ge@YD+xVTbdBnhu+5jz*JgZ z@*645G^{Fl`Q%!tcvC@-Xcp3aM(6 z1j>g!zb=dCQE0$ElYh;v>0M7bnx&ic#ts?kZI7~Kiei8|>*fANLv87cW;zwOAHTF0 zS9KslKtvfbW^%L-OYG839ewHj+0-ya4YS7?hH;QX4q9LB?fJx%tX}+h##g<~C50l= znaQpbWmvjQAU`@W1Nh%o^{#w9;J|6{@Cbbm11cwIaqVyxRNLFShosGLW~^8je77c% zKW)zwya)2iG=M44xQTnS*gGN@oAcVU$xu!*NPRPizU|fv4%8EI_00H3*~6R5ab+TD zg-z70@fx#t_LMKR*+_YoNSe2x zLph!YD+#zDUQ27Lb(21ZoyAgDX1e;Wr2WMTdD*az=ulJFc)}^yNJGzml6JCS4%(j5 zK0Vvlk7KZg4s8uGM|rmhH00NSfIHUA;vZ857?W<5rIoQTqbrsY)LiR3sh_NSPRmm2 zzmxK?D(q#d`?JLw_{TS~{utN$ey%XU+%W{Eq47$7zVd9eSaN-D@tm3A*G);pF;42) zN>X$6GB{!h_0sXNb-?bo0hzaaPyyTf92MW*ZO{m|PwjqC{pOB9&DWeC|5Z3_rIFun zQJRUC^{JTF`T*!|M6szEl?#6D3uWvwthZVz9+K)L zj^G#Ct>0TX;d&L``=LPKYQJUzU4r+nhds-U%K=}MzPe*V{Nz@|{~h0Bhdh`WJgt6* z>L@U17j`L2${DCp)j66wV2dJ&-zg|cd#`N`S5NnkN2AO8-KhP1bwUt{pbY`Hkdzb* z(#n8|p)EqCv8l)t1S!v(&?=R!c0lE5XZohk9TGBRj=doRVK#1rF?2#Ltz3y6v<>&&{u2T@=f356ZiY%C`T0sEe}+X1G!50jC8zpmG#2V(>;Z#g z)oSomT%2o`8dD{6XvC-lL7iXI^hR?)>n*=^sNG(@L8bgrnZY5=;um&qnP%pjo0o0{ zowne+Y*Q2@H6!x?^T~3mwhOk$W6sZ-s9pQ0U(3$(i=ZMF4_F08=ots&l&N_&EYkJM z8utr*MH=hO@CFJuyWS2ktH`>j=e1teN}oM;O2{;B6rYr|=rB+*)xL+0eB8&e6+mM0 zBeZIk9mJKHT~oc&EQhcykxmns)r-on>MNh{j`d8Ia1(ug;6qym7=shL4`u^LT9l1i z%#9BOKj23n?ffu)2LLcTu~r9Jpd&Be`5NSipuXh$yWqez_`&{yvG` zY65WsHme2Kx?*)@>GdE2Sl_j&wWS3!tG|247h8juBc66`Pfp|sB|>(0A@p_ocg$=S zYGP9{G43ReF47PGz)dC@n=9R(I!4YSadNfHDq!62mLFQ15%t%zs-%9?U743?q+E^To7dGtq!A8Qy*VFpcKT|EwC#L~*dl!@g$kDX{IeI1_M{iOA@TI;fHd0fZW9#kh|b8Uox3Hj(b|xdxvMnqBa~;$~y28G$@TuYi%!@m|5?XMOkIA z-gx)ay?^%^GK&(|dyS4pbt)(kYv_T;5Wk&+lgenk!Zg%Hhr|o)SS6ynAc)KZ2iOGh zmb;=08YHmSM1ZIlt_+WgLed>leI^V*tu;fUk{Tn zlvu zxu%~dh8=fgQNnmta>)GaW4OIzp>9i=-Ko#wLpb?Q&;o68cb~*jg86~#vRQEFkxUd! zR|BoEOq9T^a5z-7V5^{LNa>|Bx%G&kz zXE$Euh!K-je+u{ZCU^sQxk?890fu}yR{ z!Kn6Dqig#ud8^u0=2m`H<9$}kz4)Zs6;i<=w9GNMl(>UohC{M%B~WFIv@h2)Ww*z+ zLeQAR4W;t63oTA;5WK7@q+EO~yffE5!;|e^Q$&u8e`x+~+ydh3mKiL5d{>&x|KBezsv>bpC95-@27* zvd;VVC$_XEf}fcY&PLBFfxlI?|HA!jbO-CMQ+kHd)#AYA39eT^A@9LUG)md4BczD* zY2>NJR)2SSn5RoB@mw{nC=VekL+=s`kwj@;$kS0CF+qH1h2XXDu#MOx-do?cEE0b0 zfTS2s8JO0&ovIf?Bw4wUlww@+^+;>rAFtjTm^9|vWm|X)+MrYa9PF0QmET-?wL0P+ z#T^`%96krgg@m2}N*CU=qmf%ZhnU=5pK}baf=hQw@?o?j^4k z5mHDGVrQTfqWotfrUd_P0eNgSn(94N9HwA2r!iSi=$up~D=khi>>~&y&9)pHo0#be z3IF*x0T+BT*BzMcx96e0otIr7 zN^z!s@iaUWWWnZX3@k%_a{&F-k>gxI==w^jIa#$gYg&zI{BHaG`C;vD8}2yZ&nGAG$6IY@SoN(rAEyap zy(~*C{L8DJNwu7f*WDtkjn|udxs9_CIZBLVCp{mrdM*9C%yMZjL*KTlf~ogt(bAnK z*~m|GWnL@O2|DW&^V(qz;=)mBZS0K9E~i}Os@Z#r!CAiK!7nCbuyC8(un~bmSbY^$ zUIz+3J(URv&uKw|e#`>e4%tvy=tVuA>u~2P)2Hx9Y`oHCXPp`AjfX~M@!bCu)|&P2 zD^cP000s%Uv)^8$2{z93AyF-&ERiWXBRGo)nP;H0R;jRJNoCi-Cz&XhT-2V=zK*CG z&XEYKJ~xxbD*;OS_R+boy}?4t)*S?;qm2W3za5aR@cbQ{s1rnm#|NGD-4xsP3|L#z zeQx>DjPEk8FZLv{#)H(ed)lH$f+XF_U>9l|;?I)}VEYdr-rr!xY*_DC?&O;`l-uVw z0N%19KxxWp?KNj*9=aw~o-(U7(IMvXqsr0!r@J(FKwjL;OpQJ7XaH%E-7p=k;6_}^ z6RGGS9hOwCgxt~$Yqb)d04U4$BsORVU*#{f)bH&{o!OoSKbrqi>!qVOZ(I`4;c$PZ z+*|AH$05Sy+ziiGtNLG)w1E6SguPRcAmPGgTefZ6w$WvE*;bcr+qP}nwr$&1m!|rh zf9~9fI}!IGU-B(qGBWqK*Iwm2!#%XxhfJN_k?1ba`?v9bR*mPDDiK(n_wpidjEa%= zlTb=Kt~-JzPf#ouX*Wb6cOOb$G1&y)8^DhwKBZ))!HW^jK!!8+NfGpDC(5OXTO-)@ z$#D3{8f@)pM_YYs)+(8066M^En$&?~L+^F)>{M1a++q79F^VBnFS^MOh!Wn}(pf zwM;q1vc0S}yy#<;s_5Lm#))(cXXo%%oaOUEe=xX{ml$<8#@{HD?sH;eVtJ*PUA z+bi7OT#MY^RwqXOWQHWiR7L#$l`z{xMe64=%sBQ@1t}X%GMCCxIuHS;i-$O0W{Yx(G_fB%MHGxSjya(rT>nCMv3r$RI+J=a0 z2>r`2f^A**wJ6A)0rHeB*8XNn!3*ZBX=5y4xQk`rr_ig8#BSiG)FyNP@@RcA_;CX) zx<+4RzC)K?XoWPTWNSkRFTEg0M|&YK=49{#6hdK0$LL*;YT+WE-%PPuzF~!97}men zag{F4u_#WqR0M)+swmS_;x~RS?U%ixL;FnH<%Qp7tHffKc%182L&PI^&AV|2vczKG z*b&!A7lXJLO|z`l|!yBoEW7!aCKh3Swssr``7u`VGI?{p+VmSQC{BmZHy?W}alx3jb^Z zmMMUOQOhQ<_+e=gG{zY8*Aa^UIlgbASmRmLn62@r4JCdOrbH9SskSxPxQ@TNfna7TQx_`J6RZn~8byhx|ESM!U8AMr4 z_T8?!&o0k{3q4olF=smqn+QS_)j=d(5&wRTgsoOkxIl#UDG4>n&Tk(u1u{_Rw}zm|`QoDs;o_ zejEZJMPXB~v8I_7*of9B_hmn|&>)G%t~d2-C1Ynm;-+pYpSk#B!Mt=;Zm%oyQEGN7%V zsc=-J*-M=Mg8UQ~m*FNu?hB?(A>Ff;ni8vf# zkX=`-DF^6Y*^yep3H@Kh$Vd9Y(^{|V^`vY#t8KMPioS@@`jO7&g)1sg?i(KQ>a|RB z!eQ_C4guI6g;p)A3DfA+R5+AD7;+N}?8V*m#fO(q@`ca9zS6=qfbTuqCry9(XjcqC zB}h1nVcSs-S+CwpdC9k#x4VR+Ou%j02PS9d5y^NjiEzP%mJ7OL z;y)$O!(Uu`&&m*eWwpf07$rT)n$+j^j{Yf0^g1w}6mUiussh8`>>QdZw zIX>@w$@K)O=pj^v3FSeeFv@;~AC6T;;{@NQ zl4oc-yn=;xGrYn^7y@gBwIw2^h5eGfNH4jtECa)qKPwa;?;Mreo(~j3lGz_a?R&1E zhA6fIrg_+l@2`j3s|>xLu>hsX^hje$N!MD;IA~akasv6A;;q&KetY;*q_cd%RnG>e7S)=QR~Q$L>6hp zx4;{?&%vK$k^%czo?w$K=HTc}p~%wZ1+`ngs9QZYu;p*cd!I}qaCc(M$@8;H2d|Qa zC&-BcExjzz0}dyY6u(r(MVyH$O_(>k3a?We{!J6(nZMq&eB7*c{4gVSNh%8PME)^z z^4&l`dK&WN-n4Wzu3v>s0i1TT+UabPvH{sj-!}KFlCG6$adCI+di>4#sWG}usf~v= zAA86P$~IF+yZcH0!*FML1Z2nW;iOQ>^iUQTHFfQ_J0K*swwrBqv2xKj#{Er-P1VXY z8q@hxp>_s@SBMC=e@eY<+)ww_IbVJca*_wXSBf~Y29_PUAIW_9Ycx13py6-`S%q*r zjglaDbij4PbuKLT);NkG9}8@k1Lzt92byV&&#arR#3YPXtJHm9g6xn!t8s;RsI5Is z3O*vbCwPl4TnjzW)UJ(VXo^DGiDSPqRgoIum;BnYI1G!w;xF)sPU@lyHXePvoU>{A zM)tA|ArrY(x(S)kK_uVAig$y9zbRjwKF%s)$2!IbRE3?hyKCvHE>V~BP2+uHT5%!tlMf3jF6^GDG) zqaGgElZ42a)Iw^eajKbQ1?Nq#w1#-H=sGU;m6G3++gI#&PY<(WRAY91HC;htv~3|X z#&?6MV5qOf%orPqo?Z_02L%`B0H0gvLRQY?w|Awl`A`$!6E=5WTx=(Ac%;|i8A z$`DWZ)*3)B_&nE8xIk+U%3DMlhn?|Yl!A`uA4M}7=v>Bh*76t;2{iB%>Vbgfj4ps!&v(KOpX zP`&KeZ_QU_Qko)p-W8Pc{sM-Ye$?FP$A#nt%`!*}czU``Tfiz>8jQPP77#dP1#db) z^SKQ;)A`f?k!%n zn1!q6eLHt}&07wy61#ROD#k=w+V(Z$EPFLls?)zJ(7AlI66Cgb$2_x+L7d9~gTAhv zqFV6f7tk+HFpZmHX`Cq4I@)04h7Yx=MPx+BC@``YeD%IW%}(39ap`^;IgUwxvSyS2 zqMd*D;P30n!RcN?CP|YC-OsRkINLh`Vx}J=ADM21OnLq78EpdVct6N7&7(W5f6?l$ zgtWFPR)YPwQPm-BCyQ0jZO>kH{JRi2Unxw#f4DA*Y$i#Bv*^rnYam=#SIR(W!}OvZ z+H$#!Mbl-^m%Yx4cc^$9k728LJKS5*=6s3?*3_7_+EMv?GBaDzhE5u^`CVe8t({s- zkAoSD+QY$>}>KBt;k|17P& z2;6x{5-dml6Rwi*E$vfzcyBXX+Etv#sRV7^oHNe~!8))5Y_ySfzHv|{+la%-5+HB& zL+kVbSIkAE;TCjtL89l}c+M5FZ3Jwv%%T)HCmxJ&SuInBxwZW0P{sra#A$T% z;d*Xz)EY~-Qd0ZAL~r5P&S1-FZ#m>~AA9>(XOsf4b`1UO57h}Xtmyo+nsuX|eI##C z446aF>5vA4ZEd15%WMo+gWWJcaxmH)OR*f$zp(=wAAwUdl=(KW*oz0>yaZWGySE2# z0Jn#}F)X|505q|jS-;b=_58dL1 z=Rl@7QdcgMzJM4V!`h7f`c451Qv19)-8m zs{BR2@9zAuM321tO#!&8N;%-L1cslz^Vep6!f$EwZes_P(RM7S71Cy?!6I!%TXSm2Q^`|8 zBNU%5C^wIVCTlcnRxD~{?zvDo>g0F1XAo66UPv=U9n7F5D351yA?lo1U6F0Upxf5S zo>8GVA;gHj%1S5K(%wi%noF9Xa&|H5yLHc?E+>wU&Y$iUTW?PB*yC6AA5I5(5r;UV z@MJwNiz@P~UTV0OW%qVi8yB~C@yK}J(SA2~MX*F&x(H*FtAyWPtl)Bfm{Q3A@EbR7 z-S6lOZg&F?B^?mDfvQQ9^D$_%}BT%bh(js(PMF zP?1~rFLs(!dP%d7RRMOgTfp@f$%i%R1xQe(8)K`$nyZq{*;dErdxX&t$Y*~Rk#o2{fm1fqED^2N+ zX1bGB($@!mg>;QyVw>(lbWKK5#JINKFAlzKkfjg)|1t{pnJY=GMRSp_u=gPN{i=^C zc7a?2)mlx)9$Up1WteNPf%ApS9!Nv)hU+3^Rj8%)aPkBtCRy$k*O(xN7Hci?$b%e^ z!;x)NS;>{kf|UiF`|I}&G7-$u-TFEDN{K-Kv*`;3( z+uf!S;nu@lk2f}ZxqRo1Z_ln0$UgKUB$-)iHZVV0i#Pd22}JW(V^OkJ$C$@BqWg*6 zMo*f03fA3)XjSYrWP>H6pI%{@^~eMlPAiXnB&0<1h0n1$j8OVUjB%myJG;`LHEcVH zu_N_Wc8hn6lt8|UjQGUp?8KPuodqX(iG@!wJ7vEMF;BmRiA;x$Cz1wxA_d^nM*8T zXz*4KQbci0+E(VfLZjIIvuk5Sm`~}|rmt(gnu7i1J`U^PeS%`dNsjXn@oEO_G$i~7 z%U1NIz&zGB-^xbpz&GQKiWP1{o{dG@vc~on3j9E$t6zTwf{v}mwv-yD(g_v{+1)Fk zS^OYP!zrUSM^M{6`@VXe{@mu*Am&GsM!uy@ib^pv0@bj;dIB!vecWc%8nC zLQHDb$JkA2VCV57+D`4!{YPu)|D!dawMYDo0aRUk3WpGC@IqZqNFp#sd80~#g~a9 zKupr~nLs0Zw2D%*ytN^ZI)Ud4RfIZ%$LPsC540uhqI0H(nu>rb8-&d~$F5xx#p~NE z3YBk!@m0Ffd6fl3<=S`5!aw62Mt%gtJwJ6%Y~-D6E_|NAm+u~Qlys{dQEeBa>fv?z zj+C5YP{)EkCxES|A>*N_@#f#HCoVyg#RE>aQ*4I_y-fa@ek3rK!0UsR;9}-!+r0T7 zQUuf|0G!SQJh%4DSDR?ZEkjiFXG!HSsWf?d%^;gt<`r^(YP{eLC>tcx-kE$0{fu(Z zynWUZSOJLLuWt!>P>Kai`!WC8*H}mZ1gr}VQ0$3Q>*QMVk5Y-;=`^j|b24JFB{I%7 zyAj8$axbj&(}m2S_tD#4q^f>qF+h>?*gDii+oms^!<6mCbAr{nEZ(HGL6DL3I43zD zdXfbZQJ|6uOFNGe+`$Tdq5a=Q((sVV4!|))%kb3H} zQ*15071(;NUn1e(AaP&B27|KBvqu6mR0Tk#4(?V8*~5ckRk`~-AdwJACf1U(gOr^9 z?pQ|&D6;Uu$mf9q1NyZ#zqNq}g(kBoY`cacB9Q2ScL_fJhuCln`bTX1Ua9`S5F0Sz zV(R0vsf;MmOsf51bUxxsO`9ZEwiwr|T=WqKpGueDw*v_Q)jqOdMn;XhqyBpM$ z`e{^}i@u`2py=b|6`RH>T>DyW4q!y`#K88H|;8fsnVK$qyM zBJ1s<4&hqkgGD^wK4y}*BhY9_Doo%&%Bnncd4gZKGmVA}Z<2TadG-2N4wG%K1!bh6%Hry@WQS~(|tcAYkXk{V4%QH-QA+_-X=S4$PBnK8s z)63k|LJ+%q{|l<5;=EXAU%@VEDbhMH{R36hd-x%&;iPffbB*oRO-R3dNs6O$xQ!JK zo?2l?8d$olGkWZIe}EOzSA|v1`7;0U&SF9D6zN3wNU7TY5G)a7iO`u7EB^slC>A-g zoa2kf>wWyEGcw%p2hZsVj;_9ROSXCrUOi@=DlOhlexfe==zO%6Ffx3Q+d zMRORLN3pKq)VZPiE}_~O?YsoP?&|I!%viN%+4NLGIR6QwrV&(VL-sj=UUTHvQnidS zCQZ0sKI}6y=bDJ4ZqE9MY=;(7bQ~B*lle|A36p7`92fcm#HR$N?hH3hw$0p{NowKZ z=!1A3V#ig~N0Oy-=U!R!HGG!p*U%b0VOsMJDCLM@MLvBAJfg9X) znEts()eecgkkBm7WKz=3vo46UqWrV3WoUh})S1J7H*w&~S>JBZd_cO(U> z1>jW}EC=Kn?d?1FzVxOaM4F?0;>qgPSlo+fsKNEZqH;%Qo7V|~*OWpiX{#VpLg)lXx84RHZQe=I_?W?fv0l_K^&`$v|!36-+T zL3Au%L*}6ysbruVbrKx>SIWoUbOptf#Sd(`duT$Ap#U4&Z4UZ$S@PJMWJz3z#R$hE z%ZCuO7cy&+4j+)hqu_|fqYc@K7`IRlMT*~imitO)`%1O}e1ygcKW18rXoJP(H@C_H zu?!So;Xan%I>)>kn00dbfQesx#ZZJ!YkAbccJp#QRSxTtrNJqEVSL?+am8*wOP0|b z9jp%a53{i~$TJc@S?nO%EHX4;E9TJ^L@i?@lRxJwgw(9HLlLtQTWzi;zUml1M>EeB z!_bOyi1$sVM)U73ER8fLj=td`@Z>o(S#6z$+o50vM{MY9?M>yu!k0O`DizySH39@T z^Rl@z_v1dHNYiziG%oi`7)M%O(6AWP&&u(14WTUuHQ$6|R?YxG>b zHT}ZT1raUAA&P_A?Nj+`#*wNP2x#*4x*f@h`Fb_<9d&*M)COT(#|;JDbjMsEY2f^P zJ0W(5O=6(&rPUg(;6Abz^r;FuNW{+yVpnjb-p_1YGGmnF8BOA5x0pCu0(f#D%4T>y zfR|Q7r7zL1RfVRX3Q3vZ7`FE4LrCUVi&~|`WWh0WMH^0ildNdI8?Tl&+cOS?7%hmZh&DJfTkj>4mD$f@i(L>k zV-ZMJd)uOt3Dflc&zk!F{r_20S5f_E)k6>m+n5ZYhW=;O8}4KNf2?}8^gSS@Ek9O0 zXRp~>pub@|tWX2I$NYZ)nbkO7oTNh7>&vf+bWD0H*{$Ld8r9QLZ^nn5Xuzy~O{5yj z1PFr1XX_>kaY-_N9}xen}HOZp@UUj>ajIisQ?)r56o3~hyG z%d_b0YvaibWH9`1|6J`ivh)nce=(=7uYZ`6K|2;^Cs=V}b@PG#o)!8Vk+}fkN#3-` z@o#<)H*W>1kkd_(#@zFD075qn2z3Ay&?phNG<2yoQVAad`&inMhtkof#G(pdd_;fp z&qE;6bg-yB381cHeb2zuyY3md84CPeKee1}*&`KxGo(?_?nTX#(MpCk1wHFIJjo#F z8cF&@KK0=5&-;(AY5;eCs#l9eFD-qjuDsVB;#f5Y5z{GW6Q$N=uzX)xC2n*?_;j(~ zHDw=7)rIAv{$7|vpxf>6BPV^Sd+CY_+}ge+W3*k0ix%+R6~0mAE&>7E-vS!C*`4lg zj9gwm-i$<1E(^!pC8~3$Cdwma=iv#4jw$7U=(isUa6&9SU8o&NnL3KfR2!9&&N`$K4UIiKa3P+p&l(!W3UH@b zrQNpQWX#DTZ=12e3fKGv^a*91IE77Um}|Nf7aA>#kNWeCWwS-~BLJ?nl1&|0mVbiU zsA4xODO9@%Qq+3N$Woe;K*6~ghpF27f!TfRwfIPsP5VGF$2F5fif4_slcBL1U`K)M zyN+-K1z5B2rQ**gt#qfWlh*t3HMHto%I!Tjt4iBFmvyw z0y?vibn+rgHxp?iKZ{8FI8qD@D1l+%rr2RzvI|m1H=et!b~c`Sh&H-~SHC{@wEOlv zwOdtJ!Fj%(URMrwYQVnNi=&y6g&U=e^iIN|A&TkmFb1kKj0`8&N`j0|+{euGV3%+l zUY-W00u#xTCf{VGLM_WRH9Fqy6FLA5Rx>R?OXF0bK^xJ(3cs91`Bx}k&&K2)(0JbN z4of<&$llh7-gl(pyW11F&bR&TD9!{&>pz*fc99OoSk+;;HBGgRl)l-nU^dHEM zQ_yP{Idt@wjO}b+@3hjt19;jc3%Ag}z3pF@xoGn*duY2=|B`0maL>VNElb@|mamlk zCMR2;OmSGHs>VnnEao=xV)pKEI+&P|cyJJ76&bT&(@TI{Dlb&z;N<2{B-QXB!8NEB z=1Woro8r>C@bf!KBCMM9yQsv$)|4gAT&;g^4@26MjR;Hhj<%TP>jUBgtT*_Xy!Ts{ zs}ZjeR$O&klcmE32c!!3U$w#*0k#L7)nYO?8D|i10r|Q+KV^AMHCeG6-!)h$uzKt^ zvj(MS4~@?OxsjAnI65KSdYGId!nZO;wT5J#kZWfqIG^GZE{&^Y-+py+2&%68+5gJB z;1AR$d0qWGhIJ0(wh@@ysa^z1tEx{Z#Oc`NP&6ymxXg?1>-z_kc zA*~_Tkzx}$c&6%aSSoVNI}q6K=kdYa&ce|or&m*FH8>owC-})0WdRP_-7S~ZyH>9ewxvEF8 zgb*~rtYv;?ll|cAKYK<$00~F)9KBm=m&UIJTND|eC9=P$CEuveeDeB+Kak8#xf(%+ z*!Ir}z-Y(M3BY03!stdj^%*#v%>y#qiC}g#TkOcUhk$!}-`>ar;BE^bzHu+9NwV3{ zo5+s|b9Ka}zn1ojOQUoPhp%-Wc~JHzy3Iw28H?zpHE^w~q*y)V!oTO3HUC+Zn+8^5 zFi*uO;6-GGGo{H9O<>VPU@NXd&c@pV`sG{cvA{65T0B~bs%Ia%Ybp%m(X|J~FwDx^ zdBQ;!Rc)-z{h=R_&n{$F}41LJbW)M{)byjwdEvnRmh7G#WN zq%+fwZ@bzKN|kH%=aB_tTx)iY-x{0ui*GS1n=1DTAD_O}uh?BqWyhQ827SMZeNwr>(Olo#X#>UHYf})nx{QG!qsbfS^06+G`9p*`=Z=t1 zU)&~#?@V^M-zhW~$kd!2c@uFMTO2vPl9*QJO8P)wHP6x%Y)K}nDp=gOnAG#jeCYmt zEE)mN!uT5VXg)WVUmyQd#B2}w-b~3!Gnjcbx@%O3D&WIk^`@%E&b3q^q7h6yai|q8 zd8Em#Gi!+PC%knH?{LUox4T%W&5VQUF;^$8vMF2&#BJ@{`=ue%)K^7ogBC_?|Detx zXERQ)JV8p9V(SC>6Wbz6CW|T#$1fEZ)qU)>J@H;hnwPaqd2vl&P-M@h9@D9t?ZYmF zszk-R=D=qhd+{AoboC|SfIIC!GzSj<$EkGQ zsDzdA2*sF4b4{N5sTvVs+Cj2AtzB!A399s_s47zg`)o>bBT&_at!BvUfHsQUZUjEF zgmuFvQ1xI&L&8LrdNAghrtM8Lb!4fA1vnOZrmHDX=m?6QDx`SS-jx8067I+dYBo2; z-{KcXshNx1pa`|GdTXGx+3;Q+T+Uyp41g4zW02W3QE173!a}b{^;cbq?dQLWGHP|aX)WKxx z_V0G9KU|x-3!8mhEMcQL!`Sr6v9qVFgqqEp;eck&q=dzU1)R{MA(&kOL;y5E80ywj zi}Vv-;?m?e{w-{HQF}f=#KU{u3@e~WF)#TtH_XkMkJgh*9T&qaEe77R;%u*xSy^zG z8M!tVb~dCTZKZ#}h7R*_?&J|}S_WK!DG|nLL;x+qBu<_&lTEEoeR1X z)IqRq2ZWD{fr@Y;_j*A)V@rO?9zhYeU;f)f3`%p1&@$1V5&!xCs%62^^{SH^KIa6N zZFy0?Zq^HT{XbS~-)N$q+e-WpGw3)4*K_ z=mOreMvoO=rTg7)Nc|7bwE{}tw30(o)vWkSBDNAxK-KtJ3u%E5!kZ_xuNe}J`9dTG z&VKR@$$g&A&|ck-guV*}rtcdq4!^n0|1ov9n4Lhr%RO4#Rt7GD{%Ce1)W|HiZULL9 zWyf%Ud}2fM+rjEZ9CXY5%r$sM4Wzm~s(>?xp^`iv(2+sgvv2q3pG)*So*J5BJnWIG zH*9GucDX=E?^#vP*hg4gMatw1Z(X^XeRV!iCpt$2aE^*}Hq8}a$ah0B-M@fAI$V?M z&QCEI*}t0O;*z2kd|ARkX%!d#Ak?mP^WOae=-S$!o^8?^P!pc_PNb zi=v!|%eb_uk0jty!}K+gS@Ofr_yhFUNC2@EiD1qArBEUj+OG&K*BtF$UA$kl++WXc zeS$Xf=#AA+Y{h-Us<*+kXFu+GGoF0489!ro!em@?{G?pLmvDE+(D zj;8lOAVE&7dJ5QRE4}T_KgG>1okBUl4nU%G!dQKOWD-vM4hViDNjo6()>OQ!oOCml zu*}s8b}iGoMTDtpEq;OiLBEs3q5f%X0<7o1h<;`ZhfW+Km!n!i6>+ZY2}>zVqy5z5 zlPwFYu*gD>ejYpdqInY~TH<@0di$W~4Ei8-?faOzQVyU)cY;Qk7Y-N~9-g2yndmx`Hg4aaM-fs(N-l+Yg52$d}k__jFcv&ailWbkC!p za{gG`56wJcFo4*0qNHL9!?r2Xe{a~6Ah#PW2qUgDaXNq9)pYrM6vVvh-EPAs)jZ^k@IcaERqEwU&@C`M0C* z#gG8PbliO!zxN$E4b&39Rj#rp`U?(eq|Furfm@|Axa(QO?G1|JVIhxIR?h-#n31?2Ya>RyDLHGQxBK~sHVe8GMwy(jZb}mG~kqZ=Tu6obtG?+V>5R?3ya3AnmY~RJFq!r zOX7$Or2P6dH1NL)4{b z>YBCI-pa@EPBX=4OCqR$!c~p@MG;#eaMZ+z>S~EeFZKbVFnGz{c%4g}^gDg^fXYyn z0nAK9bkQJ<&Lq7I#O5S^$WVw2>@SAc!tA&3Gaan9+Ofd+n(qxH>}N9Gm1mhv;^QD5 zW;LyF(FkgQPSM}rtQp2r>3_?7FSS5Yx8Wf}Uwi#~2Ta_Wg2VW)I__MLOYj&0gjcWm zXvs)k*;D1R#m8IX$EyjB&c?9u(11X!C53S7hfGX~R+B3pF0e@t$+NLr?h=%#oy9ZJ zu4yb$&Za*|4v2$9K@@N8mrm?iUKT`})TmrMB`Kmoe4$x3DiJ2M1LZBQK})Pr<=T!K z3L-7Mco41@6z@FS1cO`!2x8U`j(ZW9$Dl=qv-d|c+Nk;C&n7_X6<*y>NIL2JiSJJJ zR_1cZk^P`uxqw;NjN`3~P$l#u$Y)6$hV?6oaL4z%LnKW+tsAOZqf12=eq|O6uvQMX z{2}a?xwwU;8PKfk*Mw^v!}1iCx(zn0#Hf@Bo6qGbYy375A_*Mo{hiAS;Zwnh{fF<$ z%fvw%Twv3;cE_qk&ni}#osy#2_@j!I(u;W_il%*o)(>m4y2aXli|osqvB{dfVOt(a z$3jEfLS>5r+;q7u$%dLZmtJ#QZzA5_^cfj@)-ijsyc87+lJCeW>qg~3DGjF034w0S z6o9Qt#{qlwuLn|)jNqyR@E0lJa%fsFQx#x<{)KkkaMbbTdVA?dx`T%qa}1ZmA}4g8 zwlT2lfW$BfRKY3_?x2T&qgMw^Ta|&(Zl<5TW4Ig&b$uDUh~bu^IYiQ0b)C&J-H9^= zGl$p)khSq_Gp-s-V-^fVqv89LzDSqf~t=xvl2)P-f_?t0>HIqzzmt#V{2OkMyyAO9 zkW!GdQS{BYZ_vybb(d&N$=mea`!LaS7{IIs!gdg~(u|UNyx5QX9!NAxji0JwZGsv> zot%`{$oWM|qf3(1B*~iTB7K05@b2(S2{NGCQ{?M_@@-FH0;3k_`dyB1zvi9&Yf}zd zW*k-R$DraXgRok1cNtYLXT?pL-cz<(r)mje_scWT|F)$uC&KJ^9$wYzWH9U}n}v$J z!?8`DJNup{YMSy?j@2)`qo$cg7FFd-ZLHxO;52*48sS@)`keigC}--N;6v^A09y9g zn;2QUv|on;=`)l9gjf#jY&$ao%@Z?Ctq+GC7bPzOpM?ypPPlFG*jHmTlJhP)?&w1~ z_KGUrGgJ=59ho8}IfC7NXOmItFjMzlV^wrzni>c9Sjn!hojeBCS@%p$IGjsooHJx! z98T_rTC-yYeF}ndG>q?KXLo3A9UrjLu&w@XL$9uB^o%EKUe-Nl8+wHN$tl36Q1T1R zbH1GKImCm1$=;LFWTnED-+(gNVn4z{4gC;l{`6!&XzRzwmVu!IOoLgKC*kYE8@`Za zlkFUmU-iq49EmE?5bRXnJibRxoi=cJ`A^iY?NCNaUs0k5Q(lU@QG{vsDC$}&Rutw3o3~fq0M42-AU~O2NLE zKCG==77c^kt2R23fqBf^b~}aWFiuSvGg+i<0F|F+D@>5iz+}q;M~bUp{jLkeGK77q zW@lT*%(^@v+dixUXRy%{WuT})OL})G-!c^mX>TT-jz)89?V{IBlU7T_`X(K zWB<}ekWcgjt=k3Ob|qAap`b4L|wqYIwynP2t72c2kpK?|Gd2T>VMAzDUbF1;EvGf{rvN=h`Y zb359VbPAfRI^mNHknInIL~X#jFG*f9m3gAL{A(z`JnqatQnGC0ZopuFeH}D6*nw6C z@J-p}HF#o<5Vc95E9G4L)s8r#ke=irrLyqy#2nAcv>fq0ehr&-S$p?__~2zmAkK*!bsF?l-kKuzW3+GW(`cJ7>@Iw5$ZeGVu)$m($~_ z5c}Q3!Q*Ov^xZ*WTx&-*^Wouq9A2!b3?|?G_gxy-R^7TiO((Y}HS!rxgPmZo3G1EZ zWdIrTPuQ@k&ls?C)iEbV4Kv`&LrtD$s?c@IvxJgkT*h!SD>T}`Wiw0fx9edv`{GCa zeEzrB+y0XR-WPti_hVl5Y^O}oozg*-vF#_=uR9pzNDSI-OY-*DDH5EvF_W(=Wmuw>aFKjGk%;@Gh0Kl%N>2g^=nAwi9Tr6dms>C zTbgBVWHcu7OOXv_sg81fsnjmHwT;7LHcKviAGgGuKTflxGF!l*%HJprp1=W8+EP2JH|^=9CNkUcj(0>SjCj zTh}TSob4JkCnL>*V6D!$t~Ht#DLNO7V?<#|=hZ=h6t90_H&_r!sK?-yQtkt%zw)Ww?zOQm<{9I zkC5|0M$o_!Z9p$1H}{6nVCbdTIb`!zg!pKP4e}-lF}fA!s7bmRE)?-MVJ3%&|7la- zxwc}7LsF}b#`_Og)WmkYRn*tnqI|Ws&Pe*05urD;YP0E6KpFcBwz4{r_0Ds__b8=S zO31iGzRXT;Xz9$+uLz_Gp)drM)T;t-eo@>z|9HDgIvzZdx-$Lhd^6q%p*nOKtE4|x zB!OoA%T7mgLt=ngW@>-skKiX+oI=Xd1zGmHF(PGqi<{8YGCHs`nN`5OhVNVLBZ6@vt zat|}G4!FdaLwRgq_!nDvDykhC4sj2ed-J}Ey~O)qx{e-Bsd*aR#o_V&9Z%GNz28Bd zAOY2E)<@b!`<$657>NIPIm(Oru1hc&tSUhC^8b$PDwE@cE5A(Hp70n*z|Smi6Qe$5 z7((ivq0dt79YsABNoZr%0FTo}hnR3`o=CAkS$@_|Ga`cNV&$$p9(z@-YsM7{x($3oz?V2gq&F<6B zXAkQNMw=55f6rz`E1_{o3jI;OQrm^n7W%ZImsLtp=f~A%8WDX9sa66zS<~rpgb4ea z@W*ceiMi;vnIOmeiXAu@yG+d$_~bg(I8}kp7_F$9m>gzW*pHmpgNn3(7R2wnw}=9R zkCBraT^zM98}uT`4F)`0MUud8YuixD{H#e>vJU4hvmh7J3Y#Sj$CmxRp`(G}bNIY;juPx~F^5@N9hL?a|?kg-rh6>N9lr z;^BMFiE{OHF8Qg!_u9>jQ-Wn$&DQn`Dla8T3BNg~F0>DeEhX92r?<7aw+=64*wQ*~ zk0r<*rYsWV&>lFRsoC(61M{3lTu{4GkX`kyc4H}?_FXy*cozG@-m_ormK^Uk((qGE zVFG7g6?N4L7Fqun0J%U$zdglT7X_1*tdrU-YDHV;+U#f8%gl3wboK}9r4seI6L>gD zav4V>4+Y|}N16SqMl4h=k61%21@M0^%w$r(T3MxW+gduRd|votbN)TiyZ2@0;WJE{ zr+s~>?=_O==?%Z`cx8x^zm@ron5F6BN3Q^^oqGR))*DW(nN%O^-v5#NhMC5EH#qYG z_g;$KpC9DvEWFq!w3rFyMX5zh-UFl`%(i4#X$b2Q3ud?+!Ddo84WdOZ=}2^8G@HLW z`6Ubh%~hldu7F`)b5g_x=~TI;!M+sI{nc*;LuvVK+f+uRyCKS6=*(mPApbpjdGy@M ze|J&L^}mlQMWDQ+J4+SVsd~32yI|8+8)O+Y>!!*GO{*uftb?Xq6|{o8kyrnDP>}}w z=T>%GjQ>^2|9bfP#gT>oyD07O|5+HNm3(Kx2i^AQxbMz#KRhPs7o}3 zTw3pc!#J>Q^xvz4gQET){$bz$F3KZ_*7D^(>57eO2%y^l2DTVw)->d-a85otdO-uJ zv1420+-2!@QKr4lrmYzcr#zXuD7ZyIe*?wYQM{Z-L|*E{|Mla*w!!~{SI-OZ{{{SI z;r}j*Isd=Q5V1N&ACCujG*Efl4INu&%JOhzr7d4bDZ&2%K)Ja;4Wqa-Sl7n?zd9(y z|2};6{FTlBu#@t{xpY&!0to;Dhn>4~H}gVgwDbc^4C4UE`~-}CGT3|K+|2yMNtO#D z7o7xlBydn`#bj|%d!Hh$r2fhyI|Ai*Krzrkh#48tg6r8L_HO;pK;;oA`%m8t9Mo4k zKxku2oD$j+IDsE}gT2Ao^@nS6K7Qhyl2eNF{`A_J_;Io~nEL6E{+~^MZ!r2J9@77d zA7;}b{-5|WS%t%_qY|AQ9q-Pn(o ziF0vw4&wrei7v8x1ApSVLslJr+8eBraWwIUdpO3`nR9i1a`yIoFrVyY#ML;SB*W~( zgPnir{mVIZH%9aOKRSGQSg`*;q>wQ7{qLYWanAV-;9|ODZ|}b^{>Oj!=Tj$%$KUnP z#3(r)4rBKYpV(|US^}AY22kh_g5lLlSE%&E-1WnuneWiNe z4{xJ*?y~4>|1(MN1MjCAJ;w0G|&l3nAEG!2Fr@J~z*=O!MJ`p(B< z&mWKTtK58!0JZ@vM04j#Sb^<*e=n>x_H#3Yacai{*q>l+K$&9~@QmlkXmlLwedKMi z=0}GtD+jbmzlMIzHZ4PSqsp7%WG*U&eaTu@uKNa81sD-o!PuKeD=%@xFxk~|q%aJ= zCP_5*>E+3zV*7%9uw=T4dVp+gjA_~1`=|4>hc-m`(%?U5+!zM`m5gJb6obw`_x{<( z!v0_UC-*P<3wl$`k|IhW2>}l z!%Bf{g2l#;>nJYs*_p@6(a>d}9w&pU(W?E7$}?5JrtEFQe=^Uks=hNjV7-+~>&$;T zXiSThfB#!!<$^V!Q7gR$LX!N;%8O$lzo1%@V%$$`*6YK6xify8L~^9 zYXu}J{fdo&e&wypoipbF0NE>m8JZI+IUMAgUEIEl(#zOO;3QkRK+v9G@WVnE)7hBZ z>RVx7OaG}mHCdACbEI>gRo2=V+LW4od+_Z+Tf-{JdBt;);ZueGk&|oC-oFq{SKOX+ z`h?Q7`)KI^l>~i91Q4>YwD3A31gU@yF5_s9@M1|Xmxbu0d&Y;WHHpRvrcNDu3wT!u9fHUO?hYoH470wIVa+OJBwx)v zEV`U&HZ0j-md_bCL)3G|SdmDsN(@DbYz>eiW)&v70RO>r&SqBjPBM#@!K4i>*0}SO zS8~F?;4#WZs1q7h-v27U2=!SV5_ZT{Vy_DO$J-Eim8dr7v@1J2tUIIF`;Vo!^rZJs zZe1_uwQn)oM!maG=@6Vv?;wAI2$Njq5*gh(Giu|HVLNDT*9hW2eJfA!ljkj*XXdXZ zBa`6KNcv^?WDJyJ*k3OC%$V?-s`V6n7Y9JLMt7I7zw!fb>YXQJH()}i3aG8q-&jqH zHHo9e?+1U&AI`~}H?^lz>`l04Tt!j(0}7q)0q4yt9+6gO%kU(57lqi_CSCjr$U?mW z2elZt*c|>wo&X*NO3(%=qvn;p0jdf^b#eN>VVi1|7rK}NZ>q%WydRyRq|0x415d=a zq^frq^ph9Dt`Vn{x#{9V!Rm`@)K#rQ(_<})GtdK^4H~HO=APqMhkxF9cf)F2gX|`K z;#*bTStOwb&c&^R255=LxJtfPz*6HT?ZbvpC-8SB23jV9YZh#RR0~#4IPX2uPOLV$ zbX2ug141^^q)fYr`|Z(=b%4BV=N3)doV8#AtMY z<@gO@QBgJkf5Ur6KHh}`pqP7dbiN-%QB<5ToLoX3H#i%bV$aZ zWa0#O0XQ2-k^&>WVtP+Dk$94{K#Qy%^s!=Mw+c!=4>YMd-8OC~Q`oa|J6JHgl>CyS zREH=8-a%2+I;a_leWk5fXB2fSOG8{PlbQJfuvKBwSm756h)MLn2IvZlSAhrAj2ZbY*hAProjDnm zlw(Ol5~5A<6)~qfC27N*D^Vs^0l?uR@9N*)dIayOThS11m0*MSVKtwy zVuBMx9tn}`a^w%3OD1ziO8!Sb{b@PM#PAW`QiKbvTbKm<6IPV)QDV5BnarHlstm%~ z0n&!~@^`+DB&>7MSCgy@cV4bnk|+49Sfrn*B5)b3L|I>}SWM9eRKsV$sQXgmKxeg> z#_oi}>U0)I%jrxZ8ra})ZWBOY0ecs9kZQlI!XQuuP#RTJycdUF8VO6_-g-p-!gNAp zKVetAFj>ZUN0|78L|v%U7nShVmWE-7piE@wiv>HE13s|euQN%X4!D(;ajg|KAnk@y zzAsd)*DA-;7u;b@phXxLR<(Wi4AT;Ki5A@gnH1=hjU|3Sc)+7hbje>|KoOjaB<&ak zVLdrKnLv>w8aU^8l8!Gls>}=t`k7bFq>eH+m;lQ_p*d_L&8#u#0;y-smF`BYN~3U~ z!5bxp8cw#6G(5cCDH?ngIwZj>^7FU{brWe3khV%Tzj#q5#s8nkxc?Pzw2qHP3NJ#F zxma-T6O=@e+$oM$K5`XGN? zB9K6beamKmx745GPWvg$8bBza&D@h@^k)s2V3=`ZVef|0-Oa?g>&S0S1-6|@Xtybn z-MI{Q2SV4aN?9MjShYP@X}j#RqMruJyL?u#KE4*WknL6C5+VY}2%pE8I7p?(RSLWz z4`#(o-oQpGf*L$b5_lm+?oB>8%-Wfz7lpR~18L~`Mf;UHz!wLMS(O^XjMi_MdO06w zk@sYLgh-M}Q}n0oRxTC*t8o|?jv6+4!~(iQH(o+1nVjEw>ui9`@G;vGi7>ODhGYtz z4##TFrovxO*yKO(seRy6`=)B0VFMD)zTJ^{L=~C{b~=AwDz`Fj*u<;#c5ge|mfx?+ z?aF6`&28E9m+YR2k3i&#`!#mMr$i>i_=C4%LmtF{B`Ny~;_or0A+ag76i{ z8@N)0EcmSIlXfXW4S`xjS}lV5C^H&3Cy5h8Fl{%XS21%}Ua4>A^u!VKbT~lfrme)s zxVhN@R#`5vvsjGxG{GMD98erYMCRx|zW{iF8LeGhTAtd575ZX6b$eUNic*PyI5X|$ z$rrM@RjfD#@)$IaR!dc!3Zyiy=#;2!BHhtcn2GILw_=&VpF^d)Ve`~vzK`5J{r2^% zgBg1SUdnBC|6>W@1&&9yc;*ja;emha;nVm=&=$)6Xv`N7Aj+c0-q2n6efsH1Ir+~( z=@g%(^9x*-d(VyWvT#9b%NeNIQB=9n6f?l}j(decd;2}~RD};0)DZrr7zM|@`F)@D z)uX%e1Cwy)t_3ImaB|t`P9(AKZUKv`G$R)0s0tk~~YXDY-Mfk=NXrM1U}nix31< zZe*mg0R`;0--7(Uneb&|h7J1T=FA;y>XFMKwOiY1{ z&sxgFwm>&KQYtpa%~?meDC1QdJZK#qVomxVQ(a<1tV!n!&?%Oa2DNXOrj9WezDbcH zKYw{3AObt?B5lMT5pHs>n@v@XG8+F*)L$*xLCoC=n(`~GDI;grawyuk6 zj-}P9PD&#N)#kdXnn50+j;cCiL<5~_B%priXddRJKK{#qh0^F?jJEvm&tDYdzr1>V zXyd=`q+npTe4S?h%YGEOY?5&M1E=Ck==xWsd^9O({;^k%lU*J8ajUcr36jK{;=yYD96Lgm$mU9 z4|x3dSFev=9K8ZM;qd4sRCiu>J&~&NC&&L)=Z^@r&s{9n&-#&-w)me1&kOlK4qv}| zZt1_B6qcPCL&Ce$V+T*(0^L7Tsfhoc!2fqThB^Fy`QrJJh5x%KHRu1~LlU}+WEQ0# zK5Tp$%+LSz>zA+X`R}6WoIh$*(L@B)knI&a6yrF}YOmM-% z_R6ZrXb+MZlbTfwk*m(8p)RklIVUCC1vb0BJUL}sBU1Zd;abDw*g2HHl+}LlRitju zXStzcE9X{R>$EmL1R*9+rdGI7Rkv!*xfe%Jh9@@d`cyP@av zUHtmmrk1Bi78I+sl^wAFCyJIxNsjN2h+#sF(kySe^RAW4yqirpATy@KwEMkSQ z>QhbE3U%47Z@T14im~F7~c8_!=I9u@QdzC3zq>Azi+&FMd%;^E?7$>7ts4E?F}AhWI###Qi+i7k%8O6stb zp%zQVfAptbNT`;QQ*!@c1=k)P4FsfNz?$D`3N2Nc)r^3Jf?=}&(b@QD@tb;6KtR70 zggspNqe8E7-~)DIQHJwSjl-lOsMC=JR|}bHX~nE?=>=Pr3O%!RUIFRo-SGo0kqIk7 z0+9E78N-S_Bs2rHUU;mw_ASdJv>DhB1Q;7JEJ6zpqLg)_1aqM}Wvtuz8Bkx#dm$dlH40 zbTR|+0GRDRw8fAs0Fvg5%4>4+WATI;mV_?6`az(-bVeb+;G zr2F1Ce?upegg?vTu-DW<<;cvqU->lg7O{t?KPgcLth3dj8!Tq7N?RrXTjy?mn_%0+ zlgo?uFRm*-;xN)KHg_?QIbsxILQWE6j7BR1$psP1=12}#3HPGphraLJ%>c*?^Gz9> zU_wE-(Vh{&;zzn0SKjSM=a%JjEWWrHgFseOWeVV|qS(|G{j*<5yWxhg9uPpINRtdJ z`DH{Wf7&eOS>Y$yX0TO9nCYE+dlV8q9ZScushJ7AJ#bxw7|GP*s~W-77@B~k-aWqEhkxy=6;%p z7%+Iq)t#RbqNZq(iwQX!RaUzQq2}BRPRZ)Gs>YVj7SAu~<3SmpZk1Rf-;f?Wit5mMq#U_x0C8M9Jzw6ytEWai!F$t3=@tF2;jQ>8r z{zZ*%{|o~f0b>R`i=MLs{$J@J{7vl`Xn+VyE|CiPu@L-?XRy1l~Iw@qL70I*~NQk+qHeSM&$ z7R5uQVO{9TwE#dQkZfL(sx=UE^ribOqb?)tnF#lC88A+xJCl9H!eVM)oaxmr>?F=q zZbV_fP_#RXM9}WOUroc6i}pPh1@Jqv$RwCsXA#-F`>uMy8JWxcf%WpRnc2Rq@+dOojI8Zt8fF9bJ z7dA)796w{&P}hN)``Y7uq(}8pL>rRP{$Lc!Ai{!;$zk?oFv$_D57DglNQGoPa5W1YBOmF2rOi z%-l43ZuJFjfah+dxI&Q_|^3ZhK2m`^wRl_$E0#D zCU`|^g#^_F?-j$3a=Yb0yNd4=u{OEfIX2Bvtrn|V ztm-(DGSokcKFxJINZV{SeaWzER#&)VjTT08H)2)Sxyx5VZANj!1Z_-#vpHcQxH}4# zsVQv9NpsAER9JQ@V7ZYj!3pn1WI8R;A0>5bR|~*mxlPM$Zf!XhFY@xGahnXZ-C(mV zvzaHE2?fIiQeXEJV8v6B^u#URXnmgQB6N}*$k=y2Lf0ReVqH9M20yG^&qCU&d0R-U z77J-xnydwBFWuOkTX0)dEV#Ac)`D9LZflxogIj~@+EvHy_sein?VO|*(;IMk{&t8q zX|Ij|po}Aw3ZI@hBN~gz31IJe@+HMqgBvmA({YgjnU)TO=dnB~7(+SuKVKMO{d9A4 zc`Y5;av|7B!p`yz#F#)pnMV7?!d&I0m0^!JZ>~`;6tb|dZFlN6isx>6?2PWyHh`&p z<;L!1i$$L(CFmuM_Jk@UJ4T)tO8X#NhBmUa(nF7>)gYcDV{)=Y25g1Nd_>{`u~JIl zz!ta9vd?Gf;(H8&_o$Ngo7IF0x~QfR#cw#id{eofYKyP?*q}$d=n7eG7D@ouD!>O4V+Zv8xst+xk zp+T$MiDR=7*{#Q;d{qF11hLL63MPrLjFQ41mZeU@Lw%ruWj#gd&))sTnYMdE z&9*VO?8aTZeV)nKkCA zKhvfKp!z_f{@9zs)oVBStCTrhQDX&GNqMk_Od*?Q>&a@%ZI&&pQD3fiV=>L0fmir% z*Jk1wsL#RKTZ-8jKd6jG11gdHMvdfvfh|yDK~AY2-gp;KU(uXZ%1?f~*3sg~oVa(e zf0IulFCj+wP`Ewjq<#;85D@OlkE2kAWNj*m=Vg&NFk$xqh8ehX_m3!~e4H?19~RZ0 zVwf)$i32yhKV8DX48{4v`SqdZV3y8@FzSy*RbU0YvYq~$mhubK&yfn?s5AeosQ8BOmB8ZbW}`q#YUe?f>}0iA;;l?u1A@DItB1l1ADd%re~Wf>{1iH zO&SfzZOnt$n2(2FT{_kwup8V`iSOaYN`ya_vG-}EuSmf9KfgCqCSV%}36Ji>%kDNd zD=uUJph9@tK{bBEG3mhAU$_Ca)3RnaA);7}@Cz;JNSV#0{TE#bj36H2g3Ube>S)4k zu<-`O;JTRl5fXtN6M)9}*@W=h4bivO5{!twb+6B3CGxr=@Cb>gz({ebX=kkO{i2|!x!@Z6HFG7vIRRAegFVkRz!ny zINHAN@6m;prwBqdB(Tn8_dhWqNNu=IgrlJQZICoM%|ax>V6KH)MqYH z24_s(L}>VXVnqJCRQ)4+>`%i?Wxt3f&a=ex9M_%n;g7!0Yqkxm&xIP@1Z+}Rj7AG# z;-J|?`$dV(XlFulH~8Y#nZvmgsxF-X3N^}yu#cuwlnPAAb%U|yGYr?UOhexQ$n?=#o7EW>*{JIhr zYHuu&cfZDg(ejvF_94=1>B_{#vNn}>-@2a~A9Ze9et^pAiMw3PO~@591o~s7sD~_S z%fj{JrkAFRUF#AbsznpZn+Z6y#T$l*gSKaTJ->Aqnzmy~ieOXw1!I=qP!n28eBIe( zObjdgcn8{PP*bkDjb_jV0{AjE1pw3WB57pSau5JWyX&_`%B~-yXc~AtuE}NKrs#$8 zn0#qAbd-S|>5z*sGMzQ|?yz=L){aW6SUW0fN0lpItsRx)+!drk+W@`%2;M{t9Bz%u z;^S;FypkLPXhz&#{lp||#EP=sh}IiXyI5~T&0@U~tBb|IwdHYnBbvqrDPUi-R+_>0 z6dTkGVRcKYXjfh6qUPLdkqBM1M@3pJWS)4rd931YB%ONF2|o?ok-m7sPv5vBGx-E- z^4^VocN9R22bV<@jBwd>`*SWTsW8KJ#Ucbx*`;37NJ_At_bSEFT#vTP+BXOvZ2k`` zeW;qZl|HD&Qa>$Cwjq5mQTpn}CEFR9knxsoCCNbcae`>*Org6p)a7DMk%E@GfG)Ah zz&Ya=6EB+xI>pEjiZ!)k{ccO#G_5oCNBWALi|@_UI#~Y^#HwG5UcxJY^A{`PRlB5` zcA>{v_*RKy$*6{6$tX)k<%%VvNJ!H$8O5bOrZ#3=(8^Pu;W3d(nQy9KmW#R6IjXf2?%fVQT|wn96r77oT#Jh8V4 z2eL)GvkFh%wPcW+B|We{+G1@CtBb{3wdHZy7#dYibuE~3SBDbPGp||d zpyXqQjK>xb-pF%fFJ9m3%Cc4!#j;kGwc6TpEQ;dgt7WYW!gdLMxbdDVj0XnR7Ckz{l2fc}5y6_xoiyX^&c7n(XNb zYsiq($W6RgM}0t!5wZ=ZC!`uf>@xu+VDF>9wy^MeD(wmD)v9J3mjR*n_%VjJQWoL#l13m1`T5kb4W=qvN8_iwWrIAq-yW?hr zo!huysJfAH5pS}Ulnz}-;auNtT3u!Pt+}{$y!j%%-_LCAv*@$ z6he1qEwmn`8%~A*4x#Iq0wf9kGg&Scfv@DTK}ZU~RfK<#0bR+ih?>ihAIvnoU@<82 zU1EkwH^EC8N6RTDkOBH5^;fyzMcat@ehUZU#keo)DN26G+6${krAt9frm{tyGJ(lpAcjNqWdU3{m znu#OGf}nIBV;%c9p7yVNQf|m&X|Nd=orbu%%mYR&*Y&z0*$dlzjheV;T`5+^(R|^? z>D+5)ZA`(`Y1Xy4U@Ys5GA12d`vK*`r(Z6UnU+jW`%t}b9N*KzH0-WTx8YpvTx9#l5Sul~W(}&D zzReo+b!H7BTw(;~-wW&`>A9y#j{1{K3&T@2!6$bdhe<2<{HjGatF^1B&;bf*GVvBs z~%NqPh z0WNn-H?`PoiR@*#qb=2NUpA$!TB+3vO4Y>n>nAsv`CnipDZDf9W&ZPSLtp~ueHE=? zBd;siVBJ@(imiy93`s>73rE&<=H7VbhJG^F^D&eA6jKl3M6e`uA0`fYuPKI=1q`|k zBdmqnemO*u#-wl@xPo=4P6LE`2~*>oTWRMr!qgeL<4>3w7M|4{r4p?<1+oJBP3OCh z(xYRi$Jf;^0cOP*3u5Q($#F$lci(W6)NHyFLEyISAW1C~FHKEotmUF)XQ>`asB7NI z${Kl{Hi=nlva5OD(@)IeMmn346d1NV#Y~R*-R5r`IS1|0s=Rm2c9QWr%zd>^+ky}X zc*uyL9pxov43VNNGc?ne^se9}UA7tUvKY`~n_;<0%S~3z+j5g?vD{=!ldV}HAyuSV zmEm;F%KDZohD%&44yxvLWbskUr18z0Yx>5WOcQ5xPl9K>nk?R)>VvwkTH&*BtFEDs zYI!P1YRtWK7U>+oQ&2+Ho{<7EEu+6*n(jThHIK^CnnwB@3zKW z{N=8axnOWp;V7iY{4c-V@DO(rs_G5&+s*Koi?h?6@ef(Zg}m9^PJ-nLKX|8N?1KGf zA(De?b%}N$OfU$S8-b)}5Qfy{$3&e7&BsTY!4>Q3BRVmDRdHuLrfP0ljHf>p}3WsTmZz$B!=yEJZ;mfnx8A$Ec3#wj1V%ribu4TvseC?L` zu!0d2GOydSUxMXq)pltYmPfjwU9B!%6VB5$Po33es=;_pnj z(y7$DS@vSBfvo7eYTj1#t(M13K7CoD?=4va8O=g3QMD-R+#5wiqa$B0Gb>u7Fl3S0 zuZwFiDLqksM@(DZ1r9z~4TN5`~^Xk#ZOo z2?@W9U~v-@q8J0Py0dbg#Ck;UDbs-zB3$gWjSHEI(%3{GQ z_vY;6a%WbeYw0aZh|zIHWS#UW}B zWt~*4hOJ=n+F_2scguZRiEu&$Q`3V6^0ZaD5&t z%IXSTtrb{b3tH*t1aiM$hLd&`x#cODpB`TLX+v>p+VD*dyvw zc8N?=2zxBj)sU3jW2xhld$?qCCyt_A$eH$Q=EfB}g*{?y8)d+jj)Y&(=)N_MjrK(x zyCSu`(S#b_DU1PN*)z|u-6{K5=F{0B?IORy{f0wMZzV`KB5v zvMQ&V<-ih?WcNQ=j%OH}P+X6FRM7NT{)4yfqNlS0y@XO&`X*5n`;MGOx7*lpb`MIf z*Z!!q(IddBJ2#$O049TH4)DDD)OkOYhj3Ca2oeqh;d1aH+>}CO^J8T9=sZj*g()Ihbi$x*X(vWlV=r9!aTH=2N4jii2@u68f)E(Vc?)&? zKF?}7;L`IjIn)4IZ!zY$J3_0uFk22@wh<-;MEf=p_qSdEPp)s6b<`EzqoWToCXrE> z!A<^1Q$eGM!)E*b^Lwe!fd4HbKh(9c?J@mAZ$Kz#^&Gq6wj^FS#e9hL_M$M$O4J)7 z1KwlPNS3#^{^!W7S_z>e69^;U2uOPAOnhP%f1Qj1o8#G6BT z<&i5xb_T{7Mlw44r=0KP4>@Dc9CtE_F<-IZcT|=}Xc)zUS@u`&vkQ3G8;qm*@wd+p z4tj&9UEOZ}*xQ%Jb-AnO9Y28g9NO@GlHjcpCMhHbTp-U!DV@_>9rhdzHodoc4p2{w zH&Nni(3h6>x*1tlhdPzoc5(MPN!a~ssH8<3-+7~16n)Z8IPx2-Zeyx&@V<#@vg0di!jYXu zZYC4-@b@GNb)BVillluZlu{IUVaqsVxT4#qqkX`fpzWH>yXJH0TL_rQEk175lUFh>YjtUE1#4sjyS|CyBQzG;g7xbf z=80yOue-8)U2`FZHm~bnr^jkM)TOnn@fjEyJet^OYWp3Tq?&m0)(83Kj2NpeH^9=lf|CebyE&{*_w2VXce= zjI5<2ns%Aoc;TOOb)C^svl$IegJ?OyDD+b4=R6~?-KWs;V2ob}Y_kTTmmVJ-y?FXf zSGRM$yvzUv{g8V*t7@Xq100-S1o@(&x;w?3q-o(0I%Fbnv?%uf@FqWd_ZygP&pf3o zB2Y-2RP?CVa$2$`+ImZ|CfXe=!J24)EhgGKlKtnf&vq36*zNi-S@V9LWO*HU4iI7K z@)RK6)6B}P@J{u@n_PrWk^_4CJg+sGV&wzES@#`_8!T?HxS?a*(2-e)#%Qfo$aMJH zBTYap0LxvZU%9+la%^P%MIB+>B)A8+t{>FeA?Se1x%>Hwb=R~*O8%S|P4+r^`EqC@ zF3?O3@M_br8n>rq*PD;O-^9>1_KZe?%gQaQ5Jz7lgMCdca$I0EA_`){Ob+u z<0fs!f0|v@Uk>B0+ST}49qB;9KA(4El}7coHju27K{j+y^NBs6V<(Ms3QQDf;l%*> z7$mt5%aOpag#+S;=KSMd^5=d|b&gOiK8=Fqy!f>GnKsrL%)Qh_DsO;pAmVL6=kua% z0+C71$&criE5&zGKM0%bAbab-|IcUtYk)1k`>uy})c3t_{x)D&x^md-s-v#GN|j@~ z3wPuPJ_3r$Ax`Tnm<`mt$jVF0W`ha)&W)oL{v&%C*tKW+ez;mPI2`xn<0 zAL|hS8ksW-eddQkULoG+6eBSN%$P}pAH?gcI1B9aRG!?{SINZZlF1->w0tBnE+*Gw zTtg|GbrW277ykQt>t`L}7B?g_CzdFV8!ID@qs@|>job{jYK$Qo^5F7oJ>6C~O+F{bl@1uuBW&g+>#U2@!EkmVOYE}~)T$=nJ zOSAl`pAJ5Ko1iuRIGWFwp`YFlDV(%FTEYn>!-==@f??uM`))j*0Wuz=C(;m(pihem z>8=mvlP3~V)q=_zu>Z*qD?z=^LH_Ksz+f)#oLe)<^AfRBuFkJ-lpFzgrra(syXVa( zi8~IPN9GYe_lRLUG#BWTvj9u$4sd(!r-|y#SKaw3Me-!ZdVw&shRwYQq2}BRPTizN zXtU+B#q&%0cu>ZtD=u#xoY)@ju`b_lk{#Vg`Er;O88 z0WGSsgcvLHa~l9Y2)vaGt;pgPYL(lrM>6Yk|K$-+#UAipMiiP>?hMAdk%^qgvnWbD z)d>)OgiS^Tl5@^ciLiX~o3t&YnyK15A%m)C@b&luImc@rAi0@}&F$c6VVTm|A#g`t zAUbU9PhV09T*-KL{ux15(sUDR=2~pdKqm(A#rHuI&SFG!GMrpQnbV>A3mMm+ygSno z&1r}IT~8=nKX2hh%fFDDERTwqa9p|1b32eTBVu(p30G9snn3Ik@+O#r!d2|32@mJX zuB5~iB{Jc(2JRO#z31lWa*JFF2wsn|%Eee*DRy|<(n@)fIZ_rC1qnMdd;v3m!Bq*& z)ms1HSb2}S7C97q6&K;Y^Dav9Kj)u)#Q%6D&LS^?U+I^v?Jb-Bws)3|LXRtC>@me0 zP$;lOhMdRI}d-T8{fgOd`R+u zVqX}85V*+WOqMZ&{)qEaZ|aY=N1S`{6b*3!MC;xU!+7dzM^e;{qiz}m5FVpuO>wl{ zisen#N4WD1f=(SLgTH!|Q$u4=6%_O?!XCr# zrAIA^0V1+{^sToUv7>$cv@3q@XZcF{u$z5;Y13%l2wpPEdjoP7!xglff@%RG?aQt6 zC^r`0I!fLwErzb)g$Z7dkx@KuKpf-0&#!+`6LdX83x!Xpb(-R3AMpR425yp|dbQr{ z5AS55Gjhg54k-1RGd0f_C)i1)Dru_m3EcWYit>!}YiH!*v?HGEgA<~4JKlPDix!)f z7G0t06v>^IF(H~Xc;WT{Nv)UN-2JS;TBpvNf9{7m)pW>m7XVTKho^1XdcqqR8MVqr zJpW&ZMyNzbz`-z63ZfO~vWNDRWxx+-Q+u)7eG0K)M&er08 zaHeu23j5V(j-7mfzQ46h?w`I*&^!3ux<*Oay!)KsL>;|2}Nx}(b{4Y zidGkkRcp(aolsOT?7Hfrj63dH4`jruu5*{K@}6s)HqKilFzycitr_{HG8?0=kP6FA z1uQp`B{<>Tu=tYe`d+WI04$cz>?py_m6d?a7SA zLRt%HEu^)Owx-EikoFP-h+A-5RV=u*;MRg$3vO$gXoK7B#4p-fvWp?wq`f-Q$$60( zATc9`4YOXH6pW#o^IzBu6-wDKN>$@QwhXvu zYc*ePY6?vpax?2Fg9W+gGQ;qZ$306YcoRaQo~(3Aw8=5@#U{t-F6>hQN3~T~jbj_? zYRwX$^~fDnx^at=x36XO%}kwn8y2vzOG{_t7`SXE!bq5@XI#Zl0Wq5rsJ}}*6~{^A zHdjx$Dip8SPqw>PSJx-oPzpu?5(N}0nIHCAAi6hv#t6tZdVGK;%d@5W-9 zI|Fz0->%KXGfQXdH{s;-iYb4$*xOdznSj4W#%; zG8^XS9!2PtrHIlo443K%1;5JZlETaY1t2lk*)x=dB&mYht@5C)Sb>@qsBLXI7PIm4 zWeL;-J}F52H-U3SNN!=Bg>@FzSyHtcI z=#G_ugi-}9dg@Ty2Io8W&b+`&z28`*-Yah$t-RRWZ%h-;T}$;2EElm9UbhL&KnaYP z#SIScDTO3X34RPG(cQrLYqZoFYwU(kNvp#Ik}T#wI^e@#F%eK=wZBo%7vY(Ep9o~0 zAR-#OL7)fLE^bjn>r5gsrsw1G_L-JvbT2@zI813!z_m^<4xEXm3Z=Lqnv`*yHki$8 z&ZZ@ZJa^$sf$;F;^5O%#Eo>1?C!D{XeYHZL=Y#D3P0xq23?IB(LYrNHPq7>|`c;I&~X3At%7FwggbB0p^1RLD5ry{H}*pbnLXus@Q zL)D*C`B~Ind99I*p2e4V<*Q(e#^X50|nF>SiQa|}NV z9Xn48Jj$HEDLaOmHKS!PJ^#zT8M4F%m*SN)Wf&F3fN)>}0e5O>*oFB1=2{qIA*Cex za#HB5r7umzzZsLQ&0ZT)^^|;S3q6}Ce|1x`_1SD&YZ|j1?WPlH?1qV-`YR7^)6ZTz zI%~a9S&zB9g(-M>=pG_Q=Kz@f1=Nq1ftO^V8;CG9;0qqgG*H)CmGMh0l{h48sHJDF z`o}W%KCSdkR@R?!rnE0QksC~a z9?NTfp#?(9h5)qxq6;A=5vXv%W*&HTa^lC7MAuLZ{>UVw9ZN-xg;plg(A`Kv*II&+ z1a#f&^H?RHT}eF+ciu?a$v_ReBpX1iQ>7aVwJg-qnyZCc7HSo$cdK+kFryQtn(xtZ zi9$4?QgvN}DAH6;q+jp^;s*erWkobNhokNL{vM;mWjUKQZg3ytTIHAAbDr_-_y$wY z@&xU9P!6Q?v(yV+q*3=JwYr}}CiTgAmBE>)Wg>hadSXQWyL65~7Sx}HnN!0enmErA z&vRUN(uY6#KCjs}tiCMB=q6y3!eTU92qzHDCfYAb@%1vg{+G*9;EySyRL3{}JU^p? zua4k)Fp`xrclh^Y5&0oYi;H67TaBdlA`&EC+;CEzs*5p)-)Aypz>(QVbirsV_?%8o z&g5L$pCRJ1+b9U4I~*`u0}4UhmFoxYDDd_jH%KrEw&!5D#7x>eg$XW4BxI&(4yTQs zLzEzEv}V(`ZJU)=rERm)ww+mN+qP}nwr$(!y!ZB`R}bDBM9g9s@y9x6f8RzdA_qOm zF6fs>hzxRAh7Z0YkAs3q)RqLBKN(H$PoCB!FT;86x<7x6rf@8xdyy?>=5u`Q_92n> zpIV&p`tz0yYmr=3JWH0|En@TuYR)GJ7{6u&*m~?}mmWGT;fuh!YNXa8dxjEGU23R2 zTv3FXyPD~^HlsL;qNMdhSj6?Iylgd&gUQFM$PvXv)Il+!5ZWjE6B194GCg=;+FSVUvn^)vqj7%&O~r5}5Kl zB_<%;7~)pF%ADMA#;sb|(AcT}M_9OnXfW1CP83L;C}JFuDznmoQaQ2w(OyhYTPiXq zPw^p+nzkCJR9aGEN9-D$f=uR?J6W65cbd7VUN^R>1EM+ixZS%te?O-3xCWVBfN#dN zaX@^hUg?VD8CA2m;uA52Klw8N_@EflirB(9@kK^-?35HT*oLB(>|aSc+=g;z0CJdmuo5A!M68y1OuIB`cD0h2rDAZWfqWR#@JNxSsM?UsXK=24pr`7nydQ z2muPpFH2fLfC-$Q9k>iTtGoU*eM+UwpGz|LXe?Pcm&tsF|Nw*s^tZ9;=VbKWpr z{;aWKqoXM&k@egmX1mfI&uH`cVccI>*TuVUcS?-?GkM!O49FaB zEErHC&Qgk7$tJxglp>*vDWjAY21JlPuLnP#M4PE&y&nFTf|cH?Ydo_u#Ht^HoEXOD zZKxTvL_m<3euyvZbGRk(&UYjD^l6xw`G89{B=imY82HscOD}czfjQ#D`=*Bw4H}-g zxdDnBZS+#`rN5I-N#0Uj-}m+hgSo-HnZgdtLTMXEL`X}-Z#Sub9nXZ=Nqh11ID3>PZ$*(@A^tQu$cZ+_cn@NYE_ctH~u!ryOwc6b=dPYXFKxfc#(G8DpBV z+}EVA2%ZZxzjWHqRzAHkW!Cl|&1}|IP~Do_ojG3;)8TAktC)kpu_iMa_Z~H^AHdOx z!)C$vS5HUT&WfLcCBaPlV4_h*f!iF4$@K-o-eV2La%U-T4{SCAL3k<+5VObC)r6XV z*5mKK??gh*V+HLGmNSMllCp3d16+Ay+f!Qc(qD}@)`lDU7guEWO zG6=g0WKroyz-(tL^wq4lm1#TM2RE>ECkomK`dqs6b$2LmY*2qaSfyAw4r26`37C(q5x>k1Gy1D+EfJPH^C67O3mu65lY!G|fa4(bPh3da$ib|hXI3pt7T#qEAxa`E<~i_!&(1@=EDJ%PFj)dyLrq5gFd z2HSq8=K3~_?>tCwX56a`rvYitdw-bK6OUn_r*97=1*k9o%;fv5Foc(T(z=O6`^H@% z;8_7x(T9&ROoLXQLJt}~NQG8j(Fqc+OrzpvsTSzAP`xXg-O4K*iXJzJ)Y*_5|3b-i zJoT|R-xCo%=Ss(B6Ecp~8p7C89QVL~mwTeKVfWFXjFjWFe- z%Zu58z_TN%X~gihrD-_;%05Jya$z|c#-`LSbD;}TSU#wmLZ`|*-K!I%6x0Xabmz$ zoDZx`=L>Zj{Rby=aRGD;R-svpWNmks;v!{zn+jl1A6SH zsU4IVm-4bP=Y|%i=@;-Tu#!qDLvnr8fEB4J3XjO0!^nUt^m25%Z3`W3q>}mi?y8Wj z`t;9xTV%6mxX0WaBx%qzlp-{yT~KVYMf5Z>6(K1+tA$X~ANr9Agca+gLKV3cs+uB7 zEsM3hNvGHnioz8A3N`}=kp-rXF`WsMg>}*R3$huAOoaHlVeR=Z>BBj#+A#0GB0ubu~ zpT0ZN1}t`yFxyuHrdJkOFd*gJf_DQ^4XR2~nc?t)Sci$qi{bh4ABu40c9$anTPost zNyA|iwVvt{Ncm?jfiz-=50I)!*SRWGf$fCGaaAdKLIs|3wOGa~CEf3wb)?M7*p7*$SiK9s68a zU@W+b(fj9_&7hLmr|E#F2U{40seM$kBR+U+*q+xf%Pg?eIRlvxjdE+6BGhpiFB)$du(s6Sxu^CnvZJI?m`M zE6zZ+XbCz*;+5HYy{(*S)E}lkN06|KPuVgQ}|PFPRLnGM3|J@ zQ$sp9^RSz36}D&3ddiQgk9cVjNYqN`JW}fU-hH@SWG@He7VyofX6ty`6mbu}Njbb7 z+L5|~+J5N^cbKn3PH#?!N#{DOsBFSZm!-$NY^;rh%d-4}`8j4}h2g!9fTiHf8#vI( zZ8Fm_AoC%4ome)vg8<{Nr>6TMK{Yqh61;nhy3xMLuEhROH?b-sS*4%p*&}<$zgl^0 zG{N1gHi&jFDGU!u*Zp#Dd6E&;8jk*(X|jHi2GE8d#Jb;KdVL1{C4BtAN+4576aWl31< zr)s-V@Bm#G(7KUfx|3FZx<7Qra>8uR)}qJ3?%oCl+%PoS%{(wM0bP_<3I4vCpd=-N zHcA%ORuB{+IPCz9;knyz6&2{Fb&yk}ame|(^iuz7y_%;2UzTAcGCgjc>Oggk5AWfV zy(Lm(NlcpIa5U?1W>K!LrF;vpLH!CQZ)a2hLbV)0-GrOY_!sw-$wxagwx*YUdI(@O z9D%g*)WsdW*nb7t#?ror*qu7jDQ}zgTAn7=)i{_R_-hwX+4YRM<#_@|RC?JH9aR3e zcXr1%q@m|V+$d0xO>JVMUmyukhrH&js*e>4q$B*`LJg0ONMAH`ZCPhP2BR!p-6V9q z){@qZ3(W!9d6MKx%{grZH{6@ag+>H&Qyn_IBz#UP2O|lXL`Qc^A-OA9s#M0!x#C=^w`hiB~XycyFE5j(UBys;o zhFM`MT(23~wV#d9%y&OAHs!_)MNzk!kYk(y; z@S?oorzPX=eV;T^0z?I{0;-zZXglJJf@3%b_2w;&BEg*}1e%OGyU}h!prR&(5Q(@@ zWE<4OxrCuLN|RXFxT+2UZA~PkTa^gso~>#JMUK><(CiHe`?+t;9XBhJ}Om+E%^Zel`d6!N_o$ z7)T*JJ#2&CzFf;!F`&tc>@dO2pm_?ITYH^&tunzc*H0AHu?O2+^`Y{gab`fbjImy9 zOaw6(-iw5@iFFRC4zu&&A8Zk0lJwzCc4c=9h_>F8>;5#w`X}6_u6*;Yr7l6*=)|MJ zJEK(>j9}Dipj3F#Bpc#k&MH}1ft)m9!%O>>4m>`GT%VDXqbiC6RPB|f((2^#BxxYU z2^r1N@QtGmlU?}1u9}#fv#AP0&w&94gBOUI)J6a5wA3k=LMlZaKd{zLb6^5@5c`X$ zbStMjC3IyrqHs54&QkEgU?>0D3fy#gZ6hw6uK)PmX(Y1omMm!35CflGu=j|tmU}nY z63lYLa>qx4ddQ4dgK?g4?)GrbTy-4UV&)TODFF5g`;3uaB{l$Hwn{DW=WcV~F^%Z{ zP=%6y&hjiUd=)WfZw1LrE}4URwGWMj)y+RXQ{DSJquJ#s0N!(|I68HQL1O@U7;bYA z%jK^GroZ#cGp*b{|byV)8v9~NeHtgrsRd(E0gb}X9pAxbU+0njJ< zNw#X7fpqSzGjwI>r&>CB>>$P@X9yv4vW z{YU0*ipL&7v&lr(Pni0a&R1C2^@Zy*%j$;?{##!i-Pwg*nO1~K*=llt8ftk z#P-oJjbV~d*Yi6m#bXfOe@TEGFQ=&$-+iN31TGx!7XvAKfoX3+lz$(PWr$-e5pk>0 zUCC0f5Rk?2u^;6coYJ&x{`G@9Rw9CuP8g{9LiY|ykvKM@dww}Ix`$#U3h*wR*Yxm?n{(OdC z=W@ebkh=FhxfV?bO+y5RlNwFd?z!fiVIrGEsTv_+t9HRkq-l}q7=iAu zL7!qDHs(o0KgEjzcT3X>rnsg$h7d}k`fL@wa%+mxUBgT4Ou{)Wa}^vc5(2qD8k9D& zei&cE5`1ll%m2&xN@EpLU@jxk5W`B=c%@hcPLf+44yjmM9u8G{@f5WP!kg0vA>>UG zW}THbpZ$yYPH6G}i})Iwcd5jVHG%OdNUU$pNn?Sj?_p?^O{T#%J(!jo)nvS{2`!Q; zvpLJ}Otv))5T$mhj0|vlB{m|XG(QjpZ>KC~@xekyikuy!I)KV0iZ5iHIV~H@ayRMo z))DusaYI_~Qpjz~P;Uj%CO9!SS{GT+_qL_-nzJchmR@vsl8>X) zWkxB}&LW|$it;uB&9b!gTCl=;u&BWe=z6Bz;qiV&=N>F`cDbksu9f97U?eXl7}04a zLy+GP;Ewa?yuBz7by_>QL=p<758yI?tfGIMBI9_dLcveioaR2s!GkVNuhkBh7Ru6o!2Pp_<7g%d1dES=#x+I^ilwORIX6YBZGwW|@u2dS5*4KQ^iRqJZ(yMfGXw?*SCi^;NvRuM`eV`|alZJ0Z*u0MrGm-_6?zQ;qoBJwD%*35;> z(PZOKp0=%}-GyXB$`qP>-wKs`GslB!IQkrVu+@oWna7V)_4&E^K{%LpvXTI{go_~HvejSk2TU)I<@00lEBvk&Ig_<%?axk_-t&H`NPu4g57qO>cW(_Ed zsyLtMyq$pkG^`Tk8uJP(1y>4Xw)edPo<=P`n4m&{UMC<&w|+lF5caoXhtuj!It`Ib zNsF^*Y`&KW*oo!(ItV<7ViXl^SE0y8U9sWZ_Hqp2c6RsFzLc4)z=+pdX~lC1G}`p) zmu_Pp$E!(rXuc%i*s}-heli^gMHXDfkto6Di%D#3a@=HJAoEB&rYPip*FZFNkX#|@ zUbaOF8I~?tP>^x0=P`uAF_1X_4Nh>8>dJ2O}~Tn+6CeG%Mo*H#%CKQCcnhUtJho!M1*p8K@XlznhcT87E(tZ7-)m z-6c8DX9{zU%(07sRPHJ{nABFhd&?e*Nm-SIRfLc5#Pi7iaQ9}b>gq1%HEIv$v*p6o zXq`(eZV{Ghbn>F9u<@cL?3E4!g?nX7AcE?pfBM7t*Z;xoosO+~Ycyyutj+2o2?V0{ z+p%tambq4cy5t76YF7S2iS}MTZS-)wUZ&wyBp0A?gBlF!BY%AE9aLg%NXu@HuV02$ z-|!Y=@X)oeYeIkTI!?Qxm&p9?H+<-pi95t;0#fzwW8Q4H@SOkhZpPztl#UzlU`n1E zE-swUzp2+bi2|}3J?1Q#VHdK$beC{0WChfb&idq}?$bxBA~N^b^D> zC%xp|sMUb^jel(12#2SdeikUC5>6@q*T^L|Zn5s^s6zNeZ}q{C$JifSGFb@zv3UzJ zb<|RL7HUu{D-*E1U1o}z7`YkG_CT5tfM7TPz6}JK-jHbqM9tI6| z?o(80GTb1O8qMNeq5`c&3^LG!EF@eYp)`08 z58S`2W(AzW@c8C_0Mge}g!_VzmIv~!nQTuvun*t)7XXi0baWofi8(iqpB_N91N~TN zYP41s^l&YhG%M96(Yx&U_Jh7m-FVfDG|rylZ`tevm(Td^s&@dJ_ljoTct<^?vmdzZ zRNo|v>sCL=RpfbtK=_0!&=O%v4-U2n#mFtp8nX0fM)nHYc9e5?RZ`$hn4Rod}|uAShK3ksH{0C6}J{ z=%2KS&s#LhU+Ser(M%69T1w%55#+GQt1Qbcyz114n4!g7L5priUGou#GmHFwnT#>Y8o6}fz6yz0v2*NHbH zk|x^Kd5zpoU-E4xcy$I1!66S1#7;d9&B&w1a5bF?VT@<-l#Im}a7p!nE6)HI%lf9Q zlHYG2M6v=k)U(g<6Ci?_ZJ@u#BP~Ht&au^4ZO*Yv{tK6M`Dupv>a&DL3~wbV@FRYo zoPdo@ge_6Ps2d_`53;5tWKnbzlLMG}ABwNi-A_7XYDF8_!BbD)aQCKgY0$w8{V9P)R@$5HKxzIDmBaL_OgxFn__xQ4ee3sm)L@<$RlMWeMmr@5zdtsHu)+F#;?TKUT{o6Orm- zj(uX%pK8v zq7*=KuW?Y3m(+cF+;$$DZoxCm<<@IuXj&~s=fDE{Z$Z53qck>VL0h96Y_l`d6)TE0 z*po&lzdPcBdCsEQr7??cWBzX1StASD-Vi*^=QnN@&I)R*3ESgHIflF^$sOs)-G%Co zU9i2hVIrg6)k~EzqF>QX`W|y=S}BQ5C!C!Ij3^CCJV4ZzZY*LMw4+d(O$|8Imb-&c znq`tYD|xggv2u%J8d%}Itrn`dKmOU{E$bZ%cT&3PZ6FB@QPVbC_q_;H1UEz#>mAt} zq!N{V^RE%Vdr6FqbM=##)GvI_*T*whXyEYX^WuMUI6?*gKa9^;rj)%MzoS)fck7CRS#R{Ai7T5Q{b2t-Eef4V6(AWBMim@tceF;YG2Q*@7;KX#78N{de1G5S~^ zoJ_+Qpt<+3QsF`J>vFWcjFjN1uTZ6qb->LMFKCi?w3&h#{iT17$K%9#;cPju2 z78&nGNe$~*#_9S?E_Xn@yFkw=LkEs0T8;Wu!Sxo=rYHJ)DY-rdDaUp75+X3#eC&GV ze@UGzj-F7R9~)LRu;s^^}lcka{09K_ah7qaXrYU-K&*n z5saJDq~QRp19I^hL|(t4GT=So|2X|8q-|ViBl{Vf<60!qnF`9zug~U4U|$GTH(F&b z{XMI108EVXolp5Cx=Zq$Kom& zyarWl(xDJr*ePDeoPD+lyU1(cCoh9VyT6T4*A!P-6zr9FjvGagi+)Bf&(ER**+7oR zuewu)oJnB!UtVUE-9J8%t~F#(UXSnsxD;9sohJf){5JTA`cZIbTu=03(4Cq+zEJW5 zyh5JMOhE{j4`J@8J(Y!2pTvxU`QWZ2+fKpbZLuzuGqH{Fn0=Jh0zZuPOEh@5T9uu z1E{v81@E$)XjzWf;du==L+wI~1Ye~JpWx3?kHe$>?lmw1n#XrYkG2UTSq7hTN7rZ& z*|u95T;Bf26b)Y5LNN6=q`wvl?EIMU>ev^?jA7+@hF*+a11&sQh1*2=;== zmAz>MAH+dhGvR?-XzrRPR=Ff%`|K^6|?~P9=rQZf1o0QBBTN|quGTG9E zXN!wo59mg0D!L49DLX*+MiLaVL}l#pqYBw$?JlaAAAi$74JTCljiS7?!1kZ%56iQd z35U0mdj1586p#5z9>KSTExu#vm%j3E%^fMg*9L$BD2Mz><-;g!4#YT2XnT{JrYpcs zfS(#Eh z5rxnL7Bq3oHG!2){gt{$g{n#*MV-ywdDC)&yUFECu4p-|7<9uDLKj4Rkk4y}_3m#xVHyfM#& zo9l#Tv86u~(a(G#CwokdndrRKC9R8@6|oP5S~jK(scSLro`SZt0vimpkQ~diI?VK) z9iGXEkBc6?Wbtwl?4YfsEnYHHer6|Qxn`4r7@W+NKACvsa;;7jKlI|%)8v5QetJ7Q8(zHa=;R|m zV##uh+#suOjV<+3y@ncur*{fcFNKbax>*`-+Of;eX~3Gu=t}Afh3b z`ANGuOsBI@P1pupvLJX_(fVX0WWYBOI`6hv{$Vx7$D?1PvcDm; zC`mrQln*9<2)>ueq*WiWM!4r^#z(YM4G5@tRMEjQp26|Y^EJIlG}bRzw*6Nr^-EMW zF1Bs;&=DN~5QWwvgA|J(6eQC_t*l$<+_p=Yf%i8#OC*@=$20=`7dQzxd#;9{v6rb% znl34p!t6qsG9i07+8&0*D$wzoXaTXFZd-vDioG$1#V)0+3hjrM76$`Dbi^3_yJz?g24Uiqu#F&CL;*u8%(1siENO(n< zaw{_(!Y8xv8j)MX-T!vAu%M+WvHazUGUVO{#p^=&yZ)(r|!Tg+)gGII7OKX z&QAUDFJFGH11I>4x-m&H((K&y2a`CW|0p*3JTdHbv*2IMY_F&O0(vjt?*ojL=M#Ti z@17@vpZU~wcz%97cH`o8a=Loky4t?rc>8!id>o$t$dsF!FDd{wPllrIZ5({K?}4hD zbk?8g8+s7wLk}f}nME@=_80|(Vl#hjt_tQnoSwBoXL}6d8L&4Qj(Dl@y%KhWFxwys zJ!9NNduMo*hHK@tJpOo07h)7P zs}**f7B+1)NvcIkEgZ_tCX*akn|YDeal2MbUGlHt{Q0!=A$h-#kjoUa>X3By1QaCT z6nY4TlyPLbmmJ!DWS|&$hwc4;kLls5_+SVhUqGaeW}wp@m{@jNvG-my_vynj= zG9wMR&yj*?zihRfAYIv##|c^@cI^5KJ6gQZ3zKOwjB@GPBNj#f1}nJ5-CfWVcbFtX zqiNrFmKqz6#J{bya?p~C(M2kFaiyuw{DKMU5#l9pjmVb=T@1r{j@Bt$OYE!X6uj8| ziY~j>w-}Sh`j`*Ndc@=uq~A_-jY zjQC8%2axp6irDNivfQr3Rw@v*+{YvDFrb}w?)4aW5=S~qrUaF7z>Lb?hVQhyVA-mQjAhonWx9`yhXHA-ti7X zK)<@X+z)3*d)^gRNm=QLMtaIc-xJ=#cT zZE^&>pa)z(80At9JIw*j!M@tmcHEDCkzhOrWi}P<|YP@&~4Pq$Vyo z+W@y^MG+S{V4v1>{`a^Nov#`>(`~ zbol$U##4s>JqWmLV9C@ZZ)}|ww^xyp4tg!EIW?)Gzheo zJD3)>FzPFsTpT=skDB)3dv~|@9_Z5t0LHiQ+eO~~fe*)Bd>*(P_H~oM<7pH56PYjf z!XLm<=tx}|xNOW;ukLTfn(uMAN@(HSjrSeg$qrUY@?)cF2CAOqFl;}CQPYF6qCCr% zy0BBhIt8b*NYz;zgZ+0;c8ho;T?iW1vmet8fIB_#p(RWGl%9@qW-mAX8`yfCc&Xp_ zhR9(*H&pD?O4--<&Eq-I$IoYXZ>H~C8wK_2UeM(wm%5~96`9g!hwFPI08&4i$Q}LX zNWYh%qi+F4B+W*DZDky0tNu<>eP-Nb6}TaCoK&6I={UGAbKRYA6bJ0{DjqfgFW~HX zUkOLbQ&SD@G)Lfeh_5&8D2RBXx*@TsGB{SYqo2`U)Z<&oILtR%+s#U;I?(G+WXYx( zK3f|fk$dUSye#6%%d%Q-*Y7}k`m)&Z89g*X#+ZlshS$ZxMLqn{ZB~3wTZch?3r`if z@A6g4*F7tA*M=*7X~SX@@!jzg-|z-5c7F(E1h-_F7q1)hGU=ie>VJ;iZ{L>>-xWB6 zgNW%N4E)10F`n+7MWEp8Q{$%t3EAD5b%^U$q!~tno>3_dq^40T3rUu1)s7`z1y`gU-FF$y42cY-1`=b`4*V)! z_pnEO?aUCFf0(DwP}g$oMg!(;xJLVSqV(V{fGWjR-YRzg-eohB?Fxd*Lm8dd3V&#% zhOl~Kj&HGTnipjVWre3V`G>ya{yZjFX?Thf`-%u#x}4EP zrR!P|rKgKYo!C4d)%vJt8TUoWWOE&b2o*(%2umaKOv;+hCz&?5$fJcJH2mfo#bQrr z*3at3IDzz2XCO>4d+02B^UDfn(nDEI^Gys6HcNewaY2G^f3{!az;M zg(=ltIbgtst?RM|xk$Ud?$CU7}cY?aW<@xxdDt1;Z5@6Af zrimciY7BuMVj(m`2~o=(p1StQ*F}>@kiM=)r(St@k+_X*i>{~unR zVG^wP{kav*95CiEKG0Y$d9T#CKVU9FvO|8yL7#_t-2|s!Y#xmQ^G|AG#XMmRO=wh_ z3&VDKJiT%|FwVdPhkh^M59KpXFP7~TArN5HyY5CX%Mvxs%Zl%N7`{Mrzk{D==UN^5 z6P~45b2VVr;lI;gnu*$)!g!H}wOhS?5B9r|U;gn9ah;MvmR1A)f-5PPToE4wz2@M1 zJCz+ryg+`3JmF(EkzyrKO%9m=hQz0oQKR49Hi=C)Y3)_hl-*yvsWIo>9M?2-q7W!U3pyFb5LZM7M;LB) z&!oK|IaIwT*vpv&aBa=_Od#}h@|-CA(~9dcdxl=a!a5C?oqc`hBX9>^LEF$uyR1DM zX)X>LOamQ5f&IlktDNUMd(if{Hz%y`(-C1K_%j zLEJvmW|uNF1I2P3$_c#icmNqj%ge|948hSp$?!{XPw|Ns`xVlU&?o9-LiW$lTtX_} zZ9pc*5)vP3@_2DH@KN(HI&(hzfn)p3MaY!{&Y!5tHeT>44#)av4yKYeSvRzr>{q?$ zW-B1Qp?&6YyH9!Lnj)SRpxyK@Ajz0&v5bw$o4p}h_QB6_vY1$8*T@xAK#;+&Tj*-# zdA`GRwW-}pf{vc_jtEG|<7b=_Lhtc-B00bA&fBL%gYm*o3Ow_QSBnA^f3WgFX=-wtaJDwlJl31s-#2G0jIfZkLt2 z)fr$x(myRC)hocMygM?xf|VJ+?T};>{@(W`;)@dU)F(o}SfaR|ag1RLtC2cS_oL1d zbi_Ab`5PFXj7JtrDf+{r`#zO%viGhuN4U!s^#U`L!R{X2kzKnviWqGul()8!6H$k9 z9(l0p8E={nQEo+qh?fx zu7dP8j~{H96rc{uYr6ZhE3ha@X>LIE{))EiScI^cDNBKbA+{8i|1qRcaLj%5=8f4{ zUFe^pOjKeH#D%~BCnH(c6c(s!5W1J~ieomNvbX`MTi_T-C*Z9EV65Qnw`}1qf*dTf z`a=m5#2H3Vh1BPX5z~YATV`3dfvgLC#F$;f-+R*_Dt=E$4EvN?q$q^!-S&%1(qeaw4G^?_LNY_Pzv6~@yrn}YTmhk_{u=+0=E+l`I#Sry|0jSpuM=_BU6t2QX z1EP5HI%mOtjkDdMzwwgWA8*6IR$nX`-(F-h_|>hPL$hD8Wm38O`F6APmt9c1Ld@XCOYj6}2%Qch(~tOCQ4L17qF z@t45>5gaKArX>@qUa6DDt@Mu?eJV{f!xWQbs@bB^&XswP0$%9If3+>scyEqN>Y5Sx zmI9W&AQGwOEW}v%=KuZ`@+sEw%_XiqCel+j^n*+Mr6IRnu`NV^%$Wgx!6RVxA7Dfu z>MN8CQr{j$2n}FP6{~ALBfM`m2qt)-uIW0l9 zU!M(Q*!0j6TpS@!#3f~MCE1!ysrL?GMVK+L2HLY}9Yj??E~whtzum9#muftE(3$dJ z)dpiAcL75e+~e+B3uB~ygbt39tx`)3kC9}0pX23bD)kbqL+<)(;;jX7uj5dcn&`{E z2W1@y8OC6-&GZx?^$q@l%#2W%kVuhB=R+S2T})Sn)B(hZ;?Htutltbk3Fg82=djRP z-|JE+-#ZT)Hn1$8VOHUQ^ix6xMtNbvbT9*C)sAX#a%=`BhB_&YghJmHVrU!LR{NlQ z1!!3t2-!${vZyX?4gq(}qKxF%`G{p%!7qzZt1=R{p}O=-F&mUu>A<|izm(RY$|O!T z28+&PKdRlfPMT%PWQzTn{KDvI1{8gX{c# zcnml&HCy}_aoR-JF;$#cy2o2F=5Y`na9jhvy(D)j#n||vE^+Cgc~k%Z?>$h)C3&XI zA|rWW`s3S{97b&nIMqw*S(NB8y7XJwLO?BAN(HbP@gNN38Uth?RmN9i)RDfFi-EMb z*P*g5+2U{~2Y2bv$yTjBbOwxP^C0iL%eae@C51bikyrPU=G!cxfBsB%aW<&nPp!WcPXS}iDDfrcmICHJ!Riu6GKi67^`tz0B0o(Slu3&EsQ>qW+ zT4=7;#htJpf2V9SppRl+d00tt7wjnrbw~cb{{G@Cp-_Lh?Ytm^=QRp}g6kZDuf^rp z-__VykoQzWA>l35#9_vBCa}De5Nf}G?|ECHMrMg<&vCJZ_K2qNs*{jvN%=`_K3-I&`}gIEkBzS ziiZ-J`a)UFI$msPiUM4gQqSb<|K&5%6reiqBt8!5XIw?dMgk7ZK|79V}}qi|+2>83Hj=1DQ@hBgKVpZw1qG;lNi z?L=aZ@6BOCgsi=@|MSOf3>k78;)tkOh$>*$3~O-{{N<-{IBnC4{{MH=b$R^;glwv( J1K>vh_&-eMZIl22 literal 0 HcmV?d00001 diff --git a/golang-external-secrets/values.yaml b/golang-external-secrets/values.yaml index 4241820..bda2ce6 100644 --- a/golang-external-secrets/values.yaml +++ b/golang-external-secrets/values.yaml @@ -37,10 +37,10 @@ clusterGroup: external-secrets: image: - tag: v0.9.13-ubi + tag: v0.9.14-ubi webhook: image: - tag: v0.9.13-ubi + tag: v0.9.14-ubi certController: image: - tag: v0.9.13-ubi + tag: v0.9.14-ubi diff --git a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index 788f0ce..0e5156a 100644 --- a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -1762,6 +1762,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -3026,6 +3066,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -3269,6 +3314,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -3600,6 +3673,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -3760,6 +3897,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -4332,6 +4509,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -6304,6 +6489,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -6373,7 +6565,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -7296,6 +7490,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -8560,6 +8794,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -8803,6 +9042,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -9134,6 +9401,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -9294,6 +9625,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -9866,6 +10237,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -10774,6 +11153,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -11139,10 +11526,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11206,10 +11593,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11315,10 +11702,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -11355,10 +11742,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -11399,10 +11786,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11420,10 +11807,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11431,7 +11818,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -11440,10 +11827,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11451,7 +11838,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -11474,12 +11861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11513,12 +11900,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11527,19 +11914,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -11558,12 +11945,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11575,10 +11962,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -11593,7 +11980,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -11621,12 +12008,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11638,10 +12025,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -11656,7 +12043,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -11671,12 +12058,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11688,10 +12075,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -11706,7 +12093,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -11786,7 +12173,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11802,7 +12189,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11826,7 +12213,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 735d99f..847a025 100644 --- a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -1762,6 +1762,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -3026,6 +3066,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -3269,6 +3314,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -3600,6 +3673,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -3760,6 +3897,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -4332,6 +4509,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -6304,6 +6489,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -6373,7 +6565,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -7296,6 +7490,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -8560,6 +8794,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -8803,6 +9042,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -9134,6 +9401,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -9294,6 +9625,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -9866,6 +10237,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -10774,6 +11153,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -11139,10 +11526,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11206,10 +11593,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11315,10 +11702,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -11355,10 +11742,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -11399,10 +11786,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11420,10 +11807,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11431,7 +11818,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -11440,10 +11827,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11451,7 +11838,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -11474,12 +11861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11513,12 +11900,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11527,19 +11914,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -11558,12 +11945,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11575,10 +11962,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -11593,7 +11980,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -11621,12 +12008,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11638,10 +12025,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -11656,7 +12043,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -11671,12 +12058,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11688,10 +12075,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -11706,7 +12093,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -11786,7 +12173,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11802,7 +12189,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11826,7 +12213,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 735d99f..847a025 100644 --- a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -1762,6 +1762,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -3026,6 +3066,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -3269,6 +3314,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -3600,6 +3673,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -3760,6 +3897,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -4332,6 +4509,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -6304,6 +6489,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -6373,7 +6565,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -7296,6 +7490,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -8560,6 +8794,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -8803,6 +9042,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -9134,6 +9401,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -9294,6 +9625,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -9866,6 +10237,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -10774,6 +11153,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -11139,10 +11526,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11206,10 +11593,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11315,10 +11702,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -11355,10 +11742,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -11399,10 +11786,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11420,10 +11807,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11431,7 +11818,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -11440,10 +11827,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11451,7 +11838,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -11474,12 +11861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11513,12 +11900,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11527,19 +11914,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -11558,12 +11945,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11575,10 +11962,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -11593,7 +11980,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -11621,12 +12008,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11638,10 +12025,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -11656,7 +12043,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -11671,12 +12058,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11688,10 +12075,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -11706,7 +12093,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -11786,7 +12173,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11802,7 +12189,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11826,7 +12213,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/golang-external-secrets-naked.expected.yaml b/tests/golang-external-secrets-naked.expected.yaml index e09b409..081ba46 100644 --- a/tests/golang-external-secrets-naked.expected.yaml +++ b/tests/golang-external-secrets-naked.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -1762,6 +1762,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -3026,6 +3066,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -3269,6 +3314,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -3600,6 +3673,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -3760,6 +3897,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -4332,6 +4509,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -6304,6 +6489,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -6373,7 +6565,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -7296,6 +7490,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -8560,6 +8794,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -8803,6 +9042,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -9134,6 +9401,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -9294,6 +9625,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -9866,6 +10237,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -10774,6 +11153,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -11139,10 +11526,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11206,10 +11593,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11315,10 +11702,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -11355,10 +11742,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -11399,10 +11786,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11420,10 +11807,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11431,7 +11818,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -11440,10 +11827,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11451,7 +11838,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -11474,12 +11861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11513,12 +11900,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11527,19 +11914,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -11558,12 +11945,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11575,10 +11962,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -11593,7 +11980,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -11621,12 +12008,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11638,10 +12025,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -11656,7 +12043,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -11671,12 +12058,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11688,10 +12075,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -11706,7 +12093,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -11786,7 +12173,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11802,7 +12189,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11826,7 +12213,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/tests/golang-external-secrets-normal.expected.yaml b/tests/golang-external-secrets-normal.expected.yaml index 735d99f..847a025 100644 --- a/tests/golang-external-secrets-normal.expected.yaml +++ b/tests/golang-external-secrets-normal.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -1762,6 +1762,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -3026,6 +3066,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -3269,6 +3314,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -3600,6 +3673,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -3760,6 +3897,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -4332,6 +4509,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -6304,6 +6489,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -6373,7 +6565,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -7296,6 +7490,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -8560,6 +8794,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -8803,6 +9042,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -9134,6 +9401,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -9294,6 +9625,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -9866,6 +10237,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -10774,6 +11153,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: @@ -11139,10 +11526,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11206,10 +11593,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11315,10 +11702,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -11355,10 +11742,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -11399,10 +11786,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11420,10 +11807,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11431,7 +11818,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -11440,10 +11827,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11451,7 +11838,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -11474,12 +11861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -11513,12 +11900,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -11527,19 +11914,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -11558,12 +11945,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11575,10 +11962,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -11593,7 +11980,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -11621,12 +12008,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11638,10 +12025,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -11656,7 +12043,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -11671,12 +12058,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -11688,10 +12075,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.13 + helm.sh/chart: external-secrets-0.9.14 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.13" + app.kubernetes.io/version: "v0.9.14" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -11706,7 +12093,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.9.13-ubi + image: ghcr.io/external-secrets/external-secrets:v0.9.14-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -11786,7 +12173,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11802,7 +12189,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -11826,7 +12213,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] From f4bed3a35f9ddd3ed49ea59dc4a3d8a394ebe55a Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 16 Apr 2024 07:04:01 +0200 Subject: [PATCH 41/64] Update CRD from operator v0.0.44 --- ...ops.hybrid-cloud-patterns.io_patterns.yaml | 55 +++++++++++-------- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml b/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml index 68be225..b3d769b 100644 --- a/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml +++ b/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 name: patterns.gitops.hybrid-cloud-patterns.io spec: group: gitops.hybrid-cloud-patterns.io @@ -31,14 +31,19 @@ spec: description: Pattern is the Schema for the patterns API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,9 +56,14 @@ spec: type: string clusterGroupName: type: string + experimentalCapabilities: + description: Comma separated capabilities to enable certain experimental + features + type: string extraParameters: - description: '.Name is dot separated per the helm --set syntax, such - as: global.something.field' + description: |- + .Name is dot separated per the helm --set syntax, such as: + global.something.field items: properties: name: @@ -105,9 +115,9 @@ spec: short-sha''s. Default: HEAD' type: string tokenSecret: - description: Optional. K8s secret name where the info for connecting - to git can be found. The supported secrets are modeled after - the private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) + description: |- + Optional. K8s secret name where the info for connecting to git can be found. The supported secrets are modeled after the + private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) currently ssh and username+password are supported type: string tokenSecretNamespace: @@ -121,18 +131,18 @@ spec: properties: clusterGroupChartGitRevision: default: main - description: The git reference when deploying the clustergroup - helm chart directly from a git repo Defaults to 'main'. (Only - used when developing the clustergroup helm chart) + description: |- + The git reference when deploying the clustergroup helm chart directly from a git repo + Defaults to 'main'. (Only used when developing the clustergroup helm chart) type: string clusterGroupChartVersion: description: Which chart version for the clustergroup helm chart. Defaults to "0.8.*" type: string clusterGroupGitRepoUrl: - description: The url when deploying the clustergroup helm chart - directly from a git repo Defaults to '' which means not used - (Only used when developing the clustergroup helm chart) + description: |- + The url when deploying the clustergroup helm chart directly from a git repo + Defaults to '' which means not used (Only used when developing the clustergroup helm chart) type: string enabled: default: true @@ -160,10 +170,11 @@ spec: type: string applications: items: - description: PatternApplicationInfo defines the Applications Status - for the Pattern. This structure is part of the PatternStatus as - an array The Application Status will be included as part of the - Observed state of Pattern + description: |- + PatternApplicationInfo defines the Applications + Status for the Pattern. + This structure is part of the PatternStatus as an array + The Application Status will be included as part of the Observed state of Pattern properties: healthMessage: type: string From 2319eea438e5931cf42b591b9501919dc8fd6227 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 16 Apr 2024 17:32:35 +0200 Subject: [PATCH 42/64] Expose main.experimentalCapabilities in operator-install --- operator-install/templates/pattern.yaml | 3 +++ operator-install/values.yaml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/operator-install/templates/pattern.yaml b/operator-install/templates/pattern.yaml index 3615d18..8bf7761 100644 --- a/operator-install/templates/pattern.yaml +++ b/operator-install/templates/pattern.yaml @@ -20,6 +20,9 @@ spec: {{- if .Values.main.analyticsUUID }} analyticsUUID: {{ .Values.main.analyticsUUID }} {{- end }} {{/* if .Values.main.analyticsUUID */}} +{{- if .Values.main.experimentalCapabilities }} + experimentalCapabilities: {{ .Values.main.experimentalCapabilities }} +{{- end }} {{/* if .Values.main.experimentalCapabilities */}} {{- if .Values.main.extraParameters }} extraParameters: {{- range .Values.main.extraParameters }} diff --git a/operator-install/values.yaml b/operator-install/values.yaml index 9c2f738..28bc3d4 100644 --- a/operator-install/values.yaml +++ b/operator-install/values.yaml @@ -13,6 +13,10 @@ main: multiSourceConfig: enabled: false + # String to enable certain experimental capabilities in the operator and the + # framework. Not needed unless you know exactly what you're doing. + experimentalCapabilities: "" + patternsOperator: channel: fast source: community-operators From 2ffb55fec01e945d805fbcdd00fdf07743daed3b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 16 Apr 2024 19:50:34 +0200 Subject: [PATCH 43/64] Release clustergroup v0.8.3 --- clustergroup/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clustergroup/Chart.yaml b/clustergroup/Chart.yaml index 345b817..367cea3 100644 --- a/clustergroup/Chart.yaml +++ b/clustergroup/Chart.yaml @@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.8.2 +version: 0.8.3 From aee51586f7a02366fada0032ebe74b89e15ce4c6 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 17 Apr 2024 16:17:57 +0200 Subject: [PATCH 44/64] Support remote repoURL when previewing templates This allows us to have a remote repoURL + path kustomize combo and show the resulting templates in `make preview`. Tested with: web-terminal: name: web-terminal namespace: hello-world project: hub kustomize: true targetRevision: main repoURL: https://github.com/redhat-cop/gitops-catalog path: web-terminal/aggregate/overlays/default Closes: https://github.com/validatedpatterns/multicloud-gitops/issues/356 --- scripts/preview.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/preview.sh b/scripts/preview.sh index ac2cd5c..b9839c5 100755 --- a/scripts/preview.sh +++ b/scripts/preview.sh @@ -96,6 +96,10 @@ done if [ $isKustomize == "true" ]; then kustomizePath=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) + repoURL=$(yq ".clusterGroup.applications.$APP.repoURL" values-$SITE.yaml) + if [[ $repoURL == http* ]] || [[ $repoURL == git@ ]]; then + kustomizePath="${repoURL}/${kustomizePath}" + fi cmd="oc kustomize ${kustomizePath}" eval "$cmd" else From 890ac2e46e952446d9737105d97e52766603d638 Mon Sep 17 00:00:00 2001 From: Wade Bee Date: Wed, 17 Apr 2024 14:25:16 -0400 Subject: [PATCH 45/64] Moved CLUSTERGROUP declaration to restore make preview-% functionality --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c6c7539..b15f4be 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,6 @@ NAME ?= $(shell basename "`pwd`") +CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml) + ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) endif @@ -60,7 +62,6 @@ preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clus @common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH) preview-%: - CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml) @common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH) .PHONY: operator-deploy From e27624cbf1f5e0664350d37bc90176d3de63fa59 Mon Sep 17 00:00:00 2001 From: Lester Claudio Date: Wed, 17 Apr 2024 15:43:48 -0600 Subject: [PATCH 46/64] Namespace argocd.argoproj.io/managed-by label issue - Fixed issue in common/clustergroup/templates/_helpers.tpl to render correct label --- clustergroup/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clustergroup/templates/_helpers.tpl b/clustergroup/templates/_helpers.tpl index 44b2d07..9054f3b 100644 --- a/clustergroup/templates/_helpers.tpl +++ b/clustergroup/templates/_helpers.tpl @@ -164,7 +164,7 @@ metadata: name: {{ $k }} {{- if ne $v nil }} labels: - argocd.argoproj.io/managed-by: {{ $patternName }}-{{ .clusterGroupName }} + argocd.argoproj.io/managed-by: {{ $patternName }}-{{ $clusterGroupName }} {{- if $v.labels }} {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} {{ $key }}: {{ $value | default "" | quote }} From 13ee338d128fde8a7026e4c09de3eee13fe77ffa Mon Sep 17 00:00:00 2001 From: Wade Bee Date: Wed, 17 Apr 2024 17:59:12 -0400 Subject: [PATCH 47/64] Fixed indenting and duplicate entries in application-policies.yaml This corrects Argo error: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): `helm template . --name-template acm --namespace open-cluster-management --kube-version 1.25 --set global.privateRepo=false --set global.experimentalCapabilities=initcontainers --set global.repoURL=https://github.myrepo.com/EnterpriseKubernetes/multicloud-gitops.git --set global.clusterDomain=mydomain.azure.us --set global.clusterPlatform=Azure --set global.hubClusterDomain=mydomain.azure.us --set global.localClusterDomain=mydomain.azure.us --set global.targetRevision=prod --set global.namespace=open-cluster-management --set global.pattern=ekho --set global.clusterVersion=4.12 --values /values-global.yaml --values /values-hub.yaml --include-crds` failed exit status 1: Error: YAML parse error on acm/templates/policies/application-policies.yaml: error converting YAML to JSON: yaml: line 50: did not find expected key Use --debug flag to render out invalid YAML Also corrects mapping error warning on make preview-acm --- acm/templates/policies/application-policies.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml index 925915c..94c624b 100644 --- a/acm/templates/policies/application-policies.yaml +++ b/acm/templates/policies/application-policies.yaml @@ -44,13 +44,10 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - {{- include "acm.app.policies.valuefiles" . | nindent 24 }} + {{- include "acm.app.policies.valuefiles" . | nindent 22 }} {{- range $valueFile := $.Values.global.extraValueFiles }} - {{ $valueFile | quote }} {{- end }} - {{- range $valueFile := .extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} parameters: - name: global.repoURL value: {{ $.Values.global.repoURL }} From 50b2f5554d7bf503f4e9e008935f9664c0ebf915 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 08:17:27 +0200 Subject: [PATCH 48/64] Add main.experimentalCapabilities to values.schema.json This way it can be set straight from a values-*.yaml file Tested on MCG. --- clustergroup/values.schema.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clustergroup/values.schema.json b/clustergroup/values.schema.json index cf14bf2..071805f 100644 --- a/clustergroup/values.schema.json +++ b/clustergroup/values.schema.json @@ -65,6 +65,10 @@ "clusterGroupName": { "type": "string" }, + "experimentalCapabilities": { + "type": "string", + "description": "String to enable certain experimental capabilities in the operator and the framework." + }, "git": { "type": "object", "additionalProperties": false, From 866cd995c6e801e29a97bf77ed63b1b16d7c4dff Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 08:22:02 +0200 Subject: [PATCH 49/64] Release clustergroup v0.8.4 --- clustergroup/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clustergroup/Chart.yaml b/clustergroup/Chart.yaml index 367cea3..c8ba873 100644 --- a/clustergroup/Chart.yaml +++ b/clustergroup/Chart.yaml @@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.8.3 +version: 0.8.4 From 739a63b1ac0f1efadbe6db25632c8b710879664c Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 12:41:55 +0200 Subject: [PATCH 50/64] Move the CLUSTERGROUP env variable for previews inside its section This way the code is a bit less confusing and it's more obvious when/where CLUSTERGROUP is used. make preview-% still keeps working as usual and you can override things via `make CLUSTERGROUP=group-one preview-hello-world` Gotta love Makefile's idiosyncrasies around per-target variables --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b15f4be..7882a9c 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,4 @@ NAME ?= $(shell basename "`pwd`") -CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml) ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) @@ -62,6 +61,7 @@ preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clus @common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH) preview-%: + $(eval CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml)) @common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH) .PHONY: operator-deploy From 65eab76b505dc46e21746e11d97ecd4207c597fa Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 15:31:52 +0200 Subject: [PATCH 51/64] Fix up tests after upstream PR merge --- tests/acm-industrial-edge-hub.expected.yaml | 16 +++++----- tests/acm-medical-diagnosis-hub.expected.yaml | 16 +++++----- tests/acm-normal.expected.yaml | 32 +++++++++---------- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index a912f0c..b44e051 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -215,14 +215,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index 3ac5fe1..b98682a 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -206,14 +206,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index 1a3f6e7..ee3f05f 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -609,14 +609,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern @@ -707,14 +707,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern From 444016b931b25915ea892d52dad7c6851ae114e1 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 15:33:09 +0200 Subject: [PATCH 52/64] Drop old comments --- acm/templates/policies/application-policies.yaml | 2 -- tests/acm-industrial-edge-hub.expected.yaml | 2 -- tests/acm-medical-diagnosis-hub.expected.yaml | 2 -- tests/acm-normal.expected.yaml | 4 ---- 4 files changed, 10 deletions(-) diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml index 94c624b..131f4f3 100644 --- a/acm/templates/policies/application-policies.yaml +++ b/acm/templates/policies/application-policies.yaml @@ -61,10 +61,8 @@ spec: value: {{ $.Values.global.hubClusterDomain }} - name: global.localClusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}' - name: global.localClusterName diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index b44e051..21a1c30 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -236,10 +236,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index b98682a..40df35e 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -227,10 +227,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index ee3f05f..20a38d5 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -630,10 +630,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName @@ -728,10 +726,8 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName From 0283fc2fba0c9c97cbd358b44482f33db06057fd Mon Sep 17 00:00:00 2001 From: Lester Claudio Date: Thu, 18 Apr 2024 07:57:29 -0600 Subject: [PATCH 53/64] bug: Fix to generate OperatorGroup definition when namespaces definition has labels - Added condition to check if operatorGroup key exists {{- if or $v.operatorGroup (not (hasKey $v "operatorGroup")) }} - Default behavior is that we generate an OperatorGroup for a Namespace definition. --- clustergroup/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clustergroup/templates/_helpers.tpl b/clustergroup/templates/_helpers.tpl index 9054f3b..04da642 100644 --- a/clustergroup/templates/_helpers.tpl +++ b/clustergroup/templates/_helpers.tpl @@ -195,7 +195,7 @@ spec: {{- if or (empty $operatorgroupExcludes) (not (has . $operatorgroupExcludes)) }} {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} {{- if $v }} - {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} + {{- if or $v.operatorGroup (not (hasKey $v "operatorGroup")) }}{{- /* Checks if the user sets operatorGroup: false */}} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: From c35d1244b92245600c11743f29015c9b4bdef6e7 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 18 Apr 2024 21:09:07 +0200 Subject: [PATCH 54/64] Try fallbacks for /etc/pki when it does not exist --- scripts/pattern-util.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/pattern-util.sh b/scripts/pattern-util.sh index 0f865e0..f7be58c 100755 --- a/scripts/pattern-util.sh +++ b/scripts/pattern-util.sh @@ -48,6 +48,16 @@ if [ -n "$KUBECONFIG" ]; then exit 1 fi fi + +# Use /etc/pki by default and try a couple of fallbacks if it does not exist +if [ -d /etc/pki ]; then + PKI_HOST_MOUNT="/etc/pki" +elif [ -d /etc/ssl ]; then + PKI_HOST_MOUNT="/etc/ssl" +else + PKI_HOST_MOUNT="/usr/share/ca-certificates" +fi + # Copy Kubeconfig from current environment. The utilities will pick up ~/.kube/config if set so it's not mandatory # $HOME is mounted as itself for any files that are referenced with absolute paths # $HOME is mounted to /root because the UID in the container is 0 and that's where SSH looks for credentials @@ -57,7 +67,7 @@ podman run -it --rm --pull=newer \ -e EXTRA_HELM_OPTS \ -e EXTRA_PLAYBOOK_OPTS \ -e KUBECONFIG \ - -v /etc/pki:/etc/pki:ro \ + -v "${PKI_HOST_MOUNT}":/etc/pki:ro \ -v "${HOME}":"${HOME}" \ -v "${HOME}":/pattern-home \ ${PODMAN_ARGS} \ From ae1227458bb3b3414bea68abb030c6d5a2178c18 Mon Sep 17 00:00:00 2001 From: Lester Claudio Date: Fri, 19 Apr 2024 09:08:29 -0600 Subject: [PATCH 55/64] Fix for multiple OperatorGroup rendering - Fixed issue with rendering multiple OperatorGroup. Added the beginning (---) to signal document start. - Updated the applications.yaml to include beginning (---) to signal document start. --- clustergroup/templates/_helpers.tpl | 2 ++ clustergroup/templates/core/operatorgroup.yaml | 2 ++ clustergroup/templates/plumbing/applications.yaml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/clustergroup/templates/_helpers.tpl b/clustergroup/templates/_helpers.tpl index 04da642..5001a06 100644 --- a/clustergroup/templates/_helpers.tpl +++ b/clustergroup/templates/_helpers.tpl @@ -196,6 +196,7 @@ spec: {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} {{- if $v }} {{- if or $v.operatorGroup (not (hasKey $v "operatorGroup")) }}{{- /* Checks if the user sets operatorGroup: false */}} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -212,6 +213,7 @@ spec: {{- end }}{{- /* End of if hasKey $v "targetNamespaces" */}} {{- end }}{{- /* End if $v.operatorGroup */}} {{- else }}{{- /* else if $v == nil */}} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/clustergroup/templates/core/operatorgroup.yaml b/clustergroup/templates/core/operatorgroup.yaml index 17aa966..4d8c301 100644 --- a/clustergroup/templates/core/operatorgroup.yaml +++ b/clustergroup/templates/core/operatorgroup.yaml @@ -15,6 +15,7 @@ {{- if kindIs "map" $ns }} {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -32,6 +33,7 @@ spec: {{- end }}{{- /* range $k, $v := $ns */}} {{- end }}{{- /* End of if operatorGroup */}} {{- else if kindIs "string" $ns }} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/clustergroup/templates/plumbing/applications.yaml b/clustergroup/templates/plumbing/applications.yaml index dbfefa8..29db6f3 100644 --- a/clustergroup/templates/plumbing/applications.yaml +++ b/clustergroup/templates/plumbing/applications.yaml @@ -40,7 +40,7 @@ spec: limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} {{- end }} {{- if .ignoreDifferences }} - ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} + ignoreDifferences: {{ .ignoreDifferences | toPrettyJson | nindent 2 }} {{- end }} source: repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} @@ -119,6 +119,7 @@ spec: server: {{ coalesce .destinationServer "https://kubernetes.default.svc" }} namespace: {{ coalesce .destinationNamespace .namespace $namespace }} {{- else }} +--- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -280,7 +281,6 @@ spec: retry: limit: {{ default 20 $.Values.global.applicationRetryLimit }} {{- end }}{{- /* .syncPolicy */}} ---- {{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}} {{- end }}{{- /* range .Values.clusterGroup.applications */}} {{- end }}{{- /* if not (eq .Values.enabled "core") */}} From 6ed1a054c4455a7da3470b290368fb1df354740c Mon Sep 17 00:00:00 2001 From: Lester Claudio Date: Fri, 19 Apr 2024 09:17:03 -0600 Subject: [PATCH 56/64] Updated tests for CI --- tests/acm-industrial-edge-hub.expected.yaml | 16 +++++----- tests/acm-medical-diagnosis-hub.expected.yaml | 16 +++++----- tests/acm-normal.expected.yaml | 32 +++++++++---------- ...roup-industrial-edge-factory.expected.yaml | 2 ++ ...tergroup-industrial-edge-hub.expected.yaml | 7 ++++ ...rgroup-medical-diagnosis-hub.expected.yaml | 8 +++++ tests/clustergroup-normal.expected.yaml | 7 +++- 7 files changed, 55 insertions(+), 33 deletions(-) diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml index a912f0c..b44e051 100644 --- a/tests/acm-industrial-edge-hub.expected.yaml +++ b/tests/acm-industrial-edge-hub.expected.yaml @@ -215,14 +215,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml index 3ac5fe1..b98682a 100644 --- a/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/tests/acm-medical-diagnosis-hub.expected.yaml @@ -206,14 +206,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml index 1a3f6e7..ee3f05f 100644 --- a/tests/acm-normal.expected.yaml +++ b/tests/acm-normal.expected.yaml @@ -609,14 +609,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern @@ -707,14 +707,14 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL value: https://github.com/pattern-clone/mypattern diff --git a/tests/clustergroup-industrial-edge-factory.expected.yaml b/tests/clustergroup-industrial-edge-factory.expected.yaml index da52151..84d4eaa 100644 --- a/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -716,6 +716,7 @@ spec: - manuela-stormshift-line-dashboard --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -726,6 +727,7 @@ spec: - manuela-stormshift-machine-sensor --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/clustergroup-industrial-edge-hub.expected.yaml b/tests/clustergroup-industrial-edge-hub.expected.yaml index f84bbeb..d815842 100644 --- a/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -1434,6 +1434,7 @@ spec: - golang-external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1444,6 +1445,7 @@ spec: - external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1454,6 +1456,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1464,6 +1467,7 @@ spec: - manuela-tst-all --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1474,6 +1478,7 @@ spec: - manuela-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1484,6 +1489,7 @@ spec: - manuela-data-lake --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1494,6 +1500,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 9effcba..4449986 100644 --- a/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -1581,6 +1581,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1591,6 +1592,7 @@ spec: - openshift-serverless --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1601,6 +1603,7 @@ spec: - opendatahub --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1611,6 +1614,7 @@ spec: - openshift-storage --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1621,6 +1625,7 @@ spec: - xraylab-1 --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1631,6 +1636,7 @@ spec: - knative-serving --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1641,6 +1647,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1651,6 +1658,7 @@ spec: - vault --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/tests/clustergroup-normal.expected.yaml b/tests/clustergroup-normal.expected.yaml index 8d3d4d5..0cb1cc3 100644 --- a/tests/clustergroup-normal.expected.yaml +++ b/tests/clustergroup-normal.expected.yaml @@ -601,6 +601,9 @@ spec: name: helm-values-configmap-example restartPolicy: Never --- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +--- # Source: clustergroup/templates/core/subscriptions.yaml --- --- @@ -1135,6 +1138,7 @@ spec: text: 'Example ArgoCD' --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1146,6 +1150,7 @@ spec: - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1155,6 +1160,7 @@ spec: targetNamespaces: --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1165,7 +1171,6 @@ spec: - include-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml ---- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: From 74a1f10bdd28ca042bfa15b1a73d973d22faa9f1 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 22 Apr 2024 12:18:36 +0200 Subject: [PATCH 57/64] Update ESO to 0.9.16 --- golang-external-secrets/Chart.yaml | 2 +- .../charts/external-secrets-0.9.14.tgz | Bin 99176 -> 0 bytes .../charts/external-secrets-0.9.16.tgz | Bin 0 -> 102068 bytes golang-external-secrets/values.yaml | 6 +- ...rets-industrial-edge-factory.expected.yaml | 414 +++++++++++++++--- ...-secrets-industrial-edge-hub.expected.yaml | 414 +++++++++++++++--- ...ecrets-medical-diagnosis-hub.expected.yaml | 414 +++++++++++++++--- ...olang-external-secrets-naked.expected.yaml | 414 +++++++++++++++--- ...lang-external-secrets-normal.expected.yaml | 414 +++++++++++++++--- 9 files changed, 1824 insertions(+), 254 deletions(-) delete mode 100644 golang-external-secrets/charts/external-secrets-0.9.14.tgz create mode 100644 golang-external-secrets/charts/external-secrets-0.9.16.tgz diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml index 6e2f5b0..961f3b2 100644 --- a/golang-external-secrets/Chart.yaml +++ b/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.14" + version: "0.9.16" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/golang-external-secrets/charts/external-secrets-0.9.14.tgz b/golang-external-secrets/charts/external-secrets-0.9.14.tgz deleted file mode 100644 index b75ffc1039b538b531ed211a0d76dc056de4502a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 99176 zcmV)AK*YZviwFP!000001ML0#cH2glFpBrzehM7rn`P(xMACAcq>tC>Gowh3TkV^c zq}X4tS+n9I35ke6fCGS%l}sM%yuf*~-`=|}D1ZQ}iUcLPUA4Y%Iu;9c*;Tdgm+*5D zW(kW2c{s_!A|L&w|MnExkKccf|9kM`_fPfzmF+JF&wqIO!;jCud;Y`ozdSv7e(=My zzXacJVJ$0dnHMYzg1^k8$t;Y+)_$hnzt9%e&;Mw~vSN70=5cRx-~s>e{CVs7|M>KP z&i~odgQo}2;O_@NJpKOQFTvB^R?yMD^7Chl=tG$0QJTC6Zk|12i$(d*r^Ekic<}tu zG|VSiv?%D0FU5Tc_&1^qq=wD-#!Y3-~jfN*qlXp1`9UIk`BU z4bOiCVnsM##0;R&A0=?d|33f*@c92eTF3dndw=ord{}%gHl4$S|KYT2`2WZ6@%%mh z-+rr~e=uWtFb=~cn1+iuy$h#7zMM?LJilDV@m&xlgt+nrn}oq1e+2Tn1bg+7hN|CQ zFbw|u^Z$7C=p+dM+lE${n~(m_5!}o_{uls8 zxCHK|<)!ZhgR&bwE_t`#;fTWzEMA7Z=X+pbvS=Cx{}UA1GMNNFd`JHo&Ci#Ym(k~7 zZ?G4Lu|ilD{O2QD<`KT%5MHmGfup4VUa~m4i~vyppF|rNKKdB)v8jK7GvHx>P`wKPteAF0H@Y06xyuIRA?_ z@#1gxCtI#jfrAe+Jmaw9-^z7X{^+>4MFw2=Ww7^e`QYF3z1moOQu}+>{Ga^x9rLp( zsUN%&I^%sjRDdxFKy!dkG$=c9DvI(^ZuyV|$!s`h^=sQfw|3A0R)G*-q+#dc-DwvZ zv4s#s@G{e-7B7VNirF}fZ7w!-FLzr%P5q+r{}#d*oMZ-|#ntcq|Mr5tU-#V6Njjgy zK(thw!{HtIT7eYIhxu$o%O^@6C6jnL?bzawFQTJk4hJ&-B=iTnXH!euZI;Wn;p2YqtN`3~|7rvDcn^W#oQu`ilbrhc2aU_;y2H*Z z%6Z3@?E`yOuw)We&tB)yv>h3-^%mAF$KKl7P4}jcJ=EsdY%e8ORu|fG@nqR#k}gqU zks^C$b=T;_L;l^nHesXMZ8+hpsEK}0+96U(GQ)4%22J!WYpkmreoy?zp49-|Ty0J=1vZptKq2oSQDj9ApWW3TE4B%uma8MWSh*?3fPC%%iUM&(ErxCu~L=c=pJC!|9)4~ z|33fj=?`B2dml}_X;kR6;3I)ApCoCqLL;#2Taq2JVVJOS98SOGJZ9-t0DMk9x;c1s z9VOEj!LhnTkAUlDQ&zAS${60sN@%36&CAMQ_eqSA(v#f;kJ zlGAk^#v+}roC3C$ljt~&zm}hAC&K>_S2o|rEz@SR+FmKL27&!XR<)YRAUI3&;$2wWrrCAZhO}A4a>n-a+(67zUw*~&h9Q$-|9dt zyUKMa4d`SV4`vVy29s<$$in|#hRbjOj5b_j7XPh_3Q*S*(X%==jwc=hnZ^F*Lgc01 zr+ql0<9~Cd_tnv`SAT0$qiw!4p_d%6=`{P>i}nLhdQu?6VFFkqD^>@ag)A;+zw^Pm z4wHej80PtDmX5p3z_yNzVsh3!y5Q^KrUj3ks^BVt%N0?Xf>Y&8*r)k#778>s(O_8NVI!WUf!Nt*O z?Kj~Y%ZJf^t6sF~`p{kYRaheid?(#3tl{p`Agq|Z2u9fV?)S=XQ4$pqi;u&Y-N6k` zlPR#=&z@HLEW#`zLe78v-hm9#^?8}xRF@PcH~rB((-NdVUF`;|Kli(mb~PS>;zJrQ z=iyuAqH628(SCXHsChxQ13RqSdd=E$`BE#Ako5|4OODQTs!2Kxl|4$+kcr+`aXMyk zwU-)O|LaCwJ=zl>N zokn@Kq)4Fga(We7DuNCE{|Dbce^%4~{_yPCbFcrsk7lj^ZP!p7t4r|{zZ60fyuQkK zK_YCaG(KIOq+jjvU@;xIh7l`^yl-{%7ehuI@P9UDleGea4fy}N?+)trzwh9W9{=A*+Z6xPrEoS8 z4r&OWMq$fh1{~VpW>|H}OvB@GZ-qBG#1d$$~J0eNT3m`iwr056CQZ@9Qz_!!5{5!d6L?k}&4{pM2Ty_RrxF`P`l`rZaw}|o7zm^Mt zUa0=LkUuuAbvlo7Txb?vMab@Jr_;9P8x}`X3bhlrKnBIJ`&@b3>HsegA`k{F z_bj}`F(vFfb_=~$(PAHa%a`NdfVB~*%RHW&Ep-D1TW+{&gZ*+CtsQL+{GT{kcNWkj z|9|)WL7o5m{s%Ar-%Hz+|C6R3c{w(g{S_J)54~qWzqBdchp_MD9##h>>)$Jkr;`yh z;{>g4%Fs73TFUC{(@kZo#=HWP>=fKms2lR?roF0U-k%u${EHI9AFR3Kf8oXNKn6_s z|Jgx3|HJnOUjDzIwkiH^4z5^V6HrJ0lFxIa0xn$XZYh1`P~E<96_}HCxa!^6O&A&! zxDM0xNR~W$e(=_X|Fda7N#NY`zx{Y{@SV^9b|1}j{%n#lO8-@$xAS^=LA&Yyv+ut9 zv6lbs*|Q&?`}m)GX*KH|g&@cA(b;jn8ppG$wAPevq^3R-s=#BVrmhg~MoLj7J?Iv? zLSfoTN)tU(Cdmp@L;j{|BJw3DIn{zm>FmR%)05;kl0q8dM~LjtMOTXO#;$`28(e1T zd^OHnrsEl{>xf(fgvPyJ!Ry6v^YJo@r+hUxTBg^7=fkIpwW>b)dJIzYz z@`@`h4ZQ`&#V-IR=(ys{&zt4#;G#f|G&( zhDi=jPdkD(QFsXQ2HO)HWReh?iM{$;A$T#|(r=(qT6^CI4iu~`5-&#h%%kG&+v?O8n3GMcna*GuOw-$hr)$F$kSY*34sXI( z#61u3q7JElb-0rR2Ft}z0SwKfp{Ff7;vnZ68a{ed8R|R?VJVnPq#^S$oeGlF(Kt@W zJUKCT9vvPY58fXxi`j5K)rMPSu%4`l>Q1&ATCV)P`?Ao5fjcI`QurQo0+_h7nCz48 zACKGzKma7+@ZbzYI!r{WK}sfq;mY7BvcW+3u9opM;Mlf+F(&C%68)}5&*eE0p8@wK z5jmyF%Y7g5_R83Eb_WCDyumWjM!eyud8NO~Q3}@q9*Fhn)uTzPA8=q-e$t~PZI8Q( z%+Fy2^+rW*SwUHOng@bE)!iH1?% zRiN3e7@H(*Co6cNbZ>99EeD(v%Z&Gf+a zcBFg6aK5X3<${07kqS>bht(lLVQ!Rknh`1a8;`JS1A{FnXc{61-8UCo1tJ%4^Z0h; z=k)|Z3x1-p#)xVVL9xv+pY8gwU5BlhqIC;~LzNA8is5%+d$9hDGND6X| z5Xwf9k1L2TYRRK&@PY;7Q^-PKSTcGvTUj zou^P!Nww!KK%#>D;aw0&>QL>2fo97o5T%vq`PJt7+7HFR3OHQB_X#Ha1kaU4b0Tuh zX*ruT3H5f;oYRwT8Vhd2I38RlsEaMFI5Z<^Bu>uG4+HqetE1D^3u&AhkA@Q@1wK_* zgDp^VT#CN2Gyt@>s0im4RNEQHuq7~&MJ8gK#^EPvlE5Y@18y>HMD?8d1wU16TIJ}ZQ=@H)bsQcZtNEKR2EN?O zG>+3-oTOYU78z0jtNQ_qb1ZTe2EZwIXjb0HwWK8 zYh0XmWc$G{=dVy_OP`599nGSIiT{2TW^vI&?3x z^Jz+Tc=H`MUtTH`m*R0$Fg4l><5kU|&TnOU7cFi?eB1kdO?< z4Tf9UxG5Sn-Lhcd0?q+O@3IQ-<6pCo6A)a-bi%S}`6}zCU3Fsom|9qea+VkKyMgvE z1lc}<%>A>Lh2+B4Ou(Op1*}`MJL4}y_&?X^!wU#R-og>0RYV!H5kYk1ddZ3~VQtFa zD%Zk09+x!{bxh8G<;5KV9qT5=;7m|Q+S!UN0M|}SY`P2`OK+#S0~)j8&n-{4g=jYX z8Tn+G5ld4^I*xjIN;9edZ8>g8sD%puC8qFQO>y7i&P0Ac<=^>G6tx>(-GP9pxe5ul zAvs(5(OHOgyAKsN77mRY>Au3Xa@>ZYEtemZ4qo?woz=98RR`?`e<`iXP5G5b*(RJ2 zzVa;Z?ak!>DcI<0(#2l$zyJ9B`)Bp|kLS;y`ud;u(ll4eCk;-Z-(WwiNbNG#;~%PbMkX6^XZ<2m&2MOfu9?% zqg`iUYRuE>Y=TR_h#H2J?w&FmwA<*!@ZhuKAjtpo-=F-)5WoA|-}cTh`|94e|0Q}g z%nZMGPbYnG$ADutb;WJGMkq{>f{wdUN(rj@GNCu7&cb?kPu0A;r+4@KS914kL>3hn zPtqTSIZ3^U;7Ehi_*or-T{fpGU3lBFua)JZ)=~mN`4otu0*Sr2;{fLfo78P4TUcXh zm0A~#6q*fdeRwO@>$E)Vdb*YKm9u@4gC3(D?>AyxMg00 zsj{-HDm*q?WblO8JzUuE|Av46Ki@X5y4@ybXAjT9d0K=9UjbLs;+Y(@X29W-i5pM* z5#TY5$GzsoXHNtRH4+=V8x4ow;tZEzF`0GS2<=_QO7Zhts_+b7X!f{c{vQ?}Xi)t{ zI3kO3kW5=bAlG0VvE3L{Z3F8yl94EhCh64df97DXp8{iv(PnEv_Z_g$8-iBOz74=0 z0+(df@h4!(et7QC^_R0ZR=uqNSXB$} z6Z^GF)=89Y+UBhi)t-z~jb{WA`* zPm37Jr%7njYFYM|(`q>ENDJ!oU?jG7yh-xuiVzwmJrgEsK*<#;vdCq(C#Y0}JGS_C zAN7m*a)C*+Izw)p_jJ>&8d!Tv65TiMXj|K`bBDn@0Z+NJkENd{e+jQmNX3oiIG2M~ zI4(p!fOk0mAXqS=WaTkBCeDLYHVFM84}6X);}Z8)hWA(i$9NuGwa_y^b}k1E7`nsc zWUhxBh@KxA+%WEVK%ERD5l$mB!`QLB^awLCa^ zVpcOag%>odBORAc+R2)Wrf>#2WqE#^X4Cz8J_;b;HuuAMJGNmS9ox}W8TWApwge8_ zfX>URqrp8?U#LZ}757asBYtePa9!Qjq^KXq(RyJ=DIqs#ZVZ|P+1${^5%HzS?0V%F;P8#IU*{At}R&p-XtcZbzIe zUa%+=5XPhrxmiSz&a^MZpwl$u{GX8eO5tFrxKTuG4S&XeculC+ga%#{>NTNW6S~s8 zCe&*}SK7U6LNARX(t2D8j;s6%#ti?8Ngd%u1|(^dn5e(-%}AjxRZHKoCMX*S97J5Dws)HFO%Q>+D~P;h>?TxF$D99|l>9QI`zE z=2G-7%($B;p=bmm_rf!S+$9$RAbRsU-5l!HT1dljHj^dW?f0b_!aI4JMTOzvtVeyt z(9&P&HR(St3*cU^!a}+d&rA1T(NFR?hFRW9O~aX(ro2QlEwhaAMVlqa92D=qSj3Uc zNEoxbFq4Xx;K^l_4TaYIu~+7ZKK_ zv7E|L^DQfv^|cc|8X{jbcJN)SdnRja$3;I*DrS2<{Xp!^8eLn_H|U(PBnL6xikaHv zMIt`Blff2hRuTG=XlSwLw@KGR)|rw>am?+KTYaN)(zWikwM{H&d4elv-PJxRuN#|ox-I|kVX#jzR5zmOeMRJmq9 zh)K@!MnIK*3iY)`6?KR?vF1h1>p_+c;Tfh;O^0}jZ?;SY2AGyR`A{-4=i>$q=u`tv*_P1o;XmTFE>@QOwC4Gn}jwRQ@jaF#Jga`Y=ein z*(7*>n{+(#X&8rk?=wuG*p~m=_NrB1zy;U+>A^s&an`1Ib>1#0Ri)6arwQp#O66jh z1>HF!WV3m8H86HwJ%R4KA?;WhsWQC+Ubc);@J?h^Gl46Miq6d<1WJFWk7?bHJNlb# zx&!0psZR!yTX%BxLGTuRQw@C#hFdF)QoH#!2i*BMcu)HiKCaB)dcw5KO;4CFeA6SQ z6`PL6=Jp22!qvBMUTmg_QHFyd^-ZW=e*L%7N_b>Hj)KcLq zV+voZbW}8htD)=(l2UF_9fhC6$&zDS^H6dLWe9}~3gu}uWd{raF^7rT`A%sWh&wx( z&cgcIP_&4h@3KZJ$++9ohV4ePBR@_XZ_gB_w~ow166?sMV+#AI#A1YWbA^Ef=257r z&(doaxyCBp*K|vAR&qHR#=CQq?fUxdby^zcFfH1$hL4-ZmZz(K%PhSGU9Iret6sDF zIxFJMvOuBUoV{z*hvJkE9oMK~+7D*?pd8-;Vy>_n@aJgV+e+V$%@Le2EF){z#5av?4VB!g+$wJ# z`+4lw@uA0ls~>snx7r-R>EfeX#$0vf6VRK>D;d}iOQAodAY%Q^8{+%>NA%9jyZPc4 zEmZ>7SmTyU8>*^8=M?vuW=+dp$viA#iOX=&@tulwL>X4q+m!Vljaw|f}6WGe2|f*p3O zOk~NIzmQr>xr1^?fPLry2z{TIdQ600wdmY2Z5C3M0u?KdpSKkqkj;+aFtQgF*j$$( z`y3AV2ihoiau!?X-s8=Q`SoV`<|LH*boy10FRK&qvw56zXycunMGN5!92TYPsYwIG z{WRnR{C1us7`I>G|GfMhVbKCS!s9f|;ji?UULeI6*e9HX0}Ed5gkxF+gkA~)9;B$g ztY8YgPZD%j;9E9fUfoXyCzvmDs@#yI$pARg;;wN90Y~_U4#u@76BCi$h5y1UkD#7& z8cdh8VJ55AMH9n3q@%_78dKhFD?!4VfZ9+*yWCIReCI$NMQf)X{JV%oyt&`n2e!{c zTN_9G!ae;D#P4*&{^WU%hCnp1{!$!PeiKn3+AtkcEpQ4vHuyN?VE{*WP}oAw_>+dnd`>zDliMc{GZwk4SgFKT{TXNIcw+`+)cnTQsCx5qotBE$Z&G+9u$p){ST=aR3LWkFK+VoY^i@7Cl+SX@HHRtt;pVhVv z=Ai{v4S)6(#Y10Fytigq|6BY@0nBd2zyD&W|NZ0h?|%5(Ey7Ti*#McTEMq^Ol0&+SiZzulB7R&1IAh zDjVRr&KD~*^6=Hm6;5KR=N(z2^fqT*SEf3z%YhAi&{V52qwy)SBzGmZ!G<-ttC4S- zR03y%l8P#O8mAMU@dFhncx1@*tJJ_E&j^pX%EC+F852}d19P~*6nY>yev;AZpM*E7 zujlRSd5h-jdH?Iy^VTqoxr%p3_8)_OQjlY#;M-z7sin5&3g#@s|9*M?URO3hL5=$L z3plnbG;9pT{~pCG&ynyo$3CMDyEYIdQ-Yntd6D*vYwXKRNLp7?z9H9j8O2C9VJJNf zEQ};`io2@WWPraBZojAq7?eAgLMI?U9|rGbpsmUqKUX3A4P#qmLz+j4sf)30`gM30 z!{Jyte;kU=3j@TPcH-KLJiB1W5#s|h_3 zxz9f0?MhP}uEZ&X$09IIi(v2A2dd2%fIK9TJLj65!^s2_co-)sD0vgzQB|q}@r6@- zA~vTWA<7$da%|)JSAiO?PHnsfp8*h`SvnPi4&y{E7w)09ppAIta1I8Ns`_#xP&F+oVih1nAW+sNhL3XepQ2ie7vAY zNvoMItFIf!u0C({uVDhRxfVQ$y)dgF_gb@>>k~baPtuwp++1k}Bv~>iV6`3={xXJr zA=$Hs&;ZKNo5aKc|VJL!dR?GtuCEFPu`>DI8z<2?9;jH8h51c{-&2j?lh z4&-&vq##8u-jTBj)=Ls+hld0UNns_x4n>9JHl!hDYblRiyv$d;7`npn$00relASYR zwYItigEg>Y9}d^2)V$SF5jJc#IJrtV3A>aEghD<{p)MMbh6wIc_22SJ*vCxN?SAF* z_`F+!yp!X8UO}z*gYjubB)^2sS5Uw12Ea7dsYV9upeLLs>yzr3e!sCtE^`4P+k+HG z$Fu!Wp602A-;|a_7Bf=Y5uuU+$2?*BstGrSY%5fPEvFIc;;f^m)_v@UVxn3ChEK47 zPw-+{G*{v4b-2=5T2It+H~>ggAl-&>Jh)EM+eEX9(9D$m^yKXP5Z!ZM9i0Xr)9gA< z*)%von@7|rJU6$393RLlSAtg^C|fMTWXgqQQvFHQxw$#U@2wH^AyufATOQSZpBMyJ#4|#sU4TjI9j@}2;s%H&Iuis zW^@tmC+$LyF(8mIE>#Ds-BdeSwbra4p|+#5_Mfr5YObixhZfvUry!$VUgXz4tU0~}`2Qp6X!G}ri_>#N zqD4AMV^YzR3O*ERKJMVk%z5=@Z3*3%2E(0Jc7&r{yg5g`NCI#-)R*LCFkb}YyUwKN zR#$1lPCLA@WLv>H%Hc|?*URJLwf*c5tYcbhj~X-CTG;_l*doIDk&?i6<^WLPbuCwLG0y5C|~SKU{zrJr$CfY8Ql+?sZ~>SoCMx_NerZ;s-0Iqk)< z)8Jv)v|{NW$u;y$vmYa}hyNzaC2LM%;j%bvS(dwHF+bEz08~XRFBIH36wl7i5BszS zq|tODanxaERW{U#jl=P&9Olna98$bb-!o)s9ByOfInT0V>)hxtwu}9&c0QJ0R3L8g zjewy=PYo&$Yoya2v_gHsEXAz;xfB(JGJ_|lQ8>%)kz;c=ti2BJPL8eIwi`Ev1p2TX z$XnRFf~2}uuORUXl3I5s9WtO55fau9juMy7<0+4)Dr@z4%Hye8_bs`WRXHw~&uWP9 z9#za)cm-Fg+X<^t-aexbH5{XKl*Yo+mg&JP^b*Sskz%0swzeAL)-t;E z5f5^`1B3;H?g=@AL*o6KR&`w*RmZ#@PkB65 zS*yoW9#7S}-@BJBR}H(Q2y^# z<>uCtPMhDxjt&A&Yb&*XUuNO;jh$i}`@a6*rrgGFu;6izX%p`+{~#`Y2+vza06{l# zTQM*7BwDbTzB79G+A=FVC+&$*Bd{v|5uD}c5<|;JwBW0a!!~}aPm$J=(OQQ}?ihpB zBXi|M8*Q1Y?K4!)%eH2u*0~oFIG4)TTal%*@0q_q(DNfV$HWf02xrj4e_-C?{&kLm*!TbYz?<^fDupC zE$#(R#P+|%Jnf<;bQR?SOZub;6NY@?zTyb?D+s?ibGw|KPZ)x06B~|CJZSq5A1%6{J2CUseDl7V4KQw%!ugCEjP*6B}Kv z+{U`P*h_ZZ`XFlsu&+b?G?`Gr5`n`COVI>5(-F_IuwYTv_EKypTvL%Ky;)#hdtu&6 zly^Yl1cLrYe9IOVzCBtMLl;}MlZfkJCA(>^ueZShY#rDJc&^<%oQo9MMU!nFD&FXI zAL-R(k+%vfl~)RE(fL~^W67&Dy^2GThu}131$x;(bZo$e&i?>~9yn}k_d_@Db?@6^ z`PI%TLitv_Z%Yqb@V+ho3cf8ta9h)C^oc43nBR!fz`b)ZV*D+nG*M#%4~8JLOEB-4 zkHtqpSu`I7<)ff{6jb18VXZxU6qHMBe~l8_e_@fBO7rI{iAg`~fmOGK4T-GWdPP*_ zw`h3Dq#h10s>q4CnfA>rl}AO)#&%+PRJ>thH@TdD@_}U$8^>Y(Ffw?}d66%1Fc)fp z2KPlK7cS+kK5SjqQnGs#9OZ^{=bg%LJA`hZx7|zKUh4kJIgS3MZd=2jO)j6Ulju_J zVvXdQe3B%=-q@(Obg<`P{`Z=7vPQbF%P=?=7Y#3vOzOf(Kjm_{2OD2Ujv?duMPoa| z!O2f7hGJwg#EO2QzRUnbK<8o}}6-^kgstQ|j*ha;jmm6=>>e{TJX;ZW(?5dm zDOnN!C-MqRCPgAH1pU3!?qFqC3!j{KTd^{}h@WVlyJ~BmyK>!!=dQ|ewwMMevp#M8q}SfptEqWkFYoK+ zeZ2xtS8DCyeZ8!^7B=1}m1{x8YI*b>eY_GAgG_vnglHVHEX>yPn(<;u;KdRzmTa&E zPd@$?#1hMtu=BJC-`O0x%1$Ky!`3QtMpNh|+8Yv`QXuZ7m4R40Fnj^lh{LLBc}9Q@B)DN?FVTR--)C?XbIfoXn)UC>|VC} z&vVDIiFBk3Sh2df9m;ffQNiQ5($mT@L}+jAeZ7St%UkPGX-xp=5}YY#yqAD0S+1_f zJ_`1GM})oJvc;aw4$OJTWRo79mYvly`URs)+=`VXHL!V9)f|UQKIt`OcVC&~*7rHpch!9pPA-FRz9{bY zOaJ3CyP|N~90uT0H^8bb$P1 zsJBWqNWLQUxtjG}-DztcT(XuIR?uQOUbrk>USU#yp!Y>|Q%NGyXC~lF0DPDs4BQp- zKbPN1&ogZ}N!$-lPY}j8sLugj#;YZ~TEeR(yjsHEl|&$qb>yd0{;7x@5cD8}2Z~7P zJi1B{_VjBKoW6W31loNc6X|i6zE+RBJnpJ>?>$X|#yMH^E^%US);mmVIx*s+)kLWi zgk_2zQ8k&T?xLJwmz$4q!ts zgw3W3{7E`ru&kJe-C}_YN;xWrloy6q0?_87L+J*7CB^RPGM^dsN>+yzCX?)rHe&Eu zb=mSueNee+x_62c%ML`Kg>hJc=0PB#~zZo}T5p#!2a+o}#Hf?c!iFP*wJy+n>RAw@k%@k02=f`V`yVMjuIg$7@t!B=Q7 zcJ&n+e1(Rcs?b0<-Wm;mkQ71jNssdiSEZPGPCHr>tldNI6Jssfn-0635prlK0PbTt z4Hs!E^s1g8s}&IH<}49Ad@9Bcj&X2f{P51iJUg!2cJ0`RP?-a+ip=Y`d?!+|>jr_`=a=(VCPTiw~r>0nLut)mO>e_h_CljCdP_FQ~%{?77Q^o3+;!F%vQ)kEzkr5i|^ zXQ`u4u#Mo(hi%#g-vNg{Y3de>K=lpg;bg{=D4&~STog<)`Z}3Pww=y<8c^hn=B!qu zV0}8qELiv9%cdOi0PMJGS1!(yn4Q9Mge0>9;gZP<#%ywpRq5b~%u(|0%p+YkfGeHh zK59W;1bbpH-I_?=oG1_u+FgiGwsl~H0MV=VO(mmff);7k@~|ju`IqHl#eYo)eq!S? z$D3o_jCFG<+Cs1zyLQbzBUG>&X(a)?1y-u6LRP#}LkZooHAVW_LygM?JoK$idym)y zWUG|06xBQA!h>dHad1gie4~`G7zY5n6ppMo0KAmtr7SOHc`0if9wNw*Sajnw)}o`G z*MY-!oOAeDTrr;4Z$_aN(3 zf^Jr29d%Sf-q8q)PD_f^6(@$xI+L|23^tEC?Y81kXAfKOsB@=Lr*+rgZhPm}|8d*M ztaDtaap+3D`;U(oBK4EPgyu;;UX0$K93O3+A1_0!tL{u&O&}#>WP^q|Yd&+esBPWb z4ekG2=>-=S5nE`PMvsZ(paG;d{u9l9#)tWY!Bby!u0;jn(o0Ve9@KA2hdt8rmC!@T zg!4t3F`#3skhh+^;>_6U>Zp>4P4U@$TJc%^WQ%8lN(m?y;433VxbVXKM3%TuNCpvI zD)p)D_`8>MG5oxUGQtQzCevhkf7hv;IVd7xTab&zC0O4q>q$G_zQfJ3p02kWc<>af zM=UXIh2{4$$xxIOKRkE3Gw?-t)fo#@wzW!1JPLSr{R_o7n^lj+;T;hS}OMhy{_fTotNb7xB_zEmSmZl(+UcE z+woU{Eo{YCWt*NV+ya9zA!)eX{G#OD?VDhB%Ns=#g_Wun`Dns3xxL!9R5J9Yt?kx9 zcrOsIvh^z4U13>vUuD~~7l`%D<|3N1x!ws)Jz=8{US;-;GjN1n`UT4)o~}GKasIY$ z*4SK-Gx05_u1r@6`upL%nh&Iz1*@@FR@3d38~UO+vBO%`gu1eZ-8<9uDCv z`pY;%-5#@==yjW}M}{uuA*DA z{r6-Q!%g(AjM+uMe0BFEmw-UEnvC)jOMfi0*{9*Ktfujf{9cOpQoLtr9Hn?kT(^a4 zRR%e7MIhux2$BBQh!tz7aHl*Hwh&7#51=nrjil9cTMAl59hFbJc{6xo_!}wPY05tB zUF+0gvAmBvMrwK_GxuLpvlr5GPZc#Sug5Nul0L|Ya{}jniZt644|X{wETE*75gzj* z!;*~LusE6`3DNEFdIExB@Ltxf?VKhmwL&le=GBW-=C_NB({n^-MLJ1ik>-EFGB})q zm;Z>wtpGuxbCN|2q6LkohC_iP0eH&t1f<0cd8yj`4ld9fr24dycB1d-+E#&It26dbsi9e~2719pjQ!fh56p$y*3EAD08dRiC)sSr2V;myjU`2w&BoN{(2 z?TDo7iqmu<$k&7=@Cn=mOkoRnkWfC_%A)Sb0YU@3v=EFECTtvsQ-OIA%XQz^7NZ+{hVgI)c46R}@sw0GlG z7^f*fsa>aLg=<`Hz&j0T@@fHUiebrb=3GD)9$J?nD=5XQI4*uyUM2;VZ$pBIPU-}P zZU%sV7$!GSmL^#KiY^mchSRLT=MS?4Z=p{#5S71%LbIFX2L?3r7W3n>F?u>Bp# zjj`Yo`X!MH+IY~R+SjNYXj5Lpq>p!EJ5ir5T(d}9PNU01A(4ZdXE==T9|)5xtSv=vDNV|X6MG{RO858@^5x}a^tp2iWSTC+Vlu<$FVh%b zX6d}Fa-qspVZMaArP#zNBaeDuwB6egcEFowJzeS#0#gW>D74gw zPc+gGmm`c&^Azme9P9-Kv32j}8DJ|p*HnwUr(Zh0wW&;Zb71Pw1+DwZThH%OO9vyr zc^i&rX?ksynEoU0>y({}DglkRcOw8FbrH$}APN()ID}RE{o2v>QL~|q{ z<#k72r|ziZ_`UW>YhHWgwMSliBpO#dbiRFHN+T{}om%1wOHfqq#NYWsHr)?5oLggA z$)vnB+1oAUz1*cx;~8}qgvL-?!xl~dmZynLuw`W-|A3E_RsdebGD|ql?&r!|9h_hU z`(l~S1z(9OO4JFUm0Ylt-JAp9raV+^snjQ+2VLoRE=EGO=yI6|(Jd!($4MRfcmm^; z5MF~1t|E|fO;6gwMcv*H!OlirfoQ4gLoQvE1GNPkHU~ScgO_A2ftaw`U+O2TRf#kX z=jK6Z?LWAl``3;+boA^w=;-=o?=^TIK7(s4-oamRz3Z}z4jz4Z3Od2t+M&$W=glfM z!nP!clM_mJz!2uiOqcd7#Rc!bDI>GYVrLc#zQL<7VR5{DEf?psIy%5=)>U%dF`(O@ zLAtvhr=P7sRvGyAg>^*eNl6h++nJTlYEGQ$KM`*d;G1n z4bAz689IL^m&$Wq(YX=fR4&IaLied88}hWFK`<8yobM%z;zrxD39Zf9=QBP`8x*wq z2H&;$Pnhc&(1uUY{Rik;+f;^I&;il*qa3seb*-bJbJcPM91UvFa}+Gksdq&xO2d;x630lnZ;v!>7PUEBMqWvYvTYwzN0JS3RDiiZl zo}-|6)iIlumV)J7PEr;_G#|9n5Z$I%;{YZMG!ScS{khcyX@#7cbYCqWHvE}i@)tpo zDMJ;iTJT^2AH}))<8myilm=`8{NRs2AMvf|W=_N;*-;uV=lZoDl-9LiI1dYk+|LkQ z&*lAvLFc-inAnKm@YTzeolNzrx|MTiGBL*LK4y>I_($gkhZ zROj{MYPe!jyDHmI1TB2mrrKloR!B0 zXec>6J^Aq6dF_W9Qa$24h=wQ8=aoALbN6;~I1fJ;81x)-{|}h~3vZt0qr5MwiwPG+ zt*8(quPJhr|3sQWtQEu=<4QKuHuT9B(T8RSO%p$dFep7A6}1pPl}IiKK8jgao9Da4 zv~-DhfvYSPcNxore3mYGUb}?7W0Ndez@>T0wt33-DciPf+qP}nwsp$3ZQJJ5y|<^| ziRg})ACTWNcjVsddDgQ{qWdf*UKqAxkB)(~cI2ZsR!>8WLfN&c~Yy8Gal zIE*|d*+>}cSoc;3SNnymRz|q1Iz7mp_f7n5sJ)0XbHYhs&sA&Uv_mKkEn>d|D5n`< z2+Dtt(7E;!dI-}VK%Ik=EyvvhRL9K~c5+U-GSyAp7sm7q>P1!ND#J`cwJazwQ2SlLW{ zsDjgAhd$n`K3uQB4?xJB_V*+5gxID-kNUjAXG{+J$ZnuRI)X~U5ArIJpxZSv?hEbi zmdn${a_&pj$lGz5ytzgRv_DLTY)y)2e+*=D4ehjv+!&⁡Ve)YG||}Hk5Q1YGH8~ z&#JL@t+~pu(9p0g_Zs~76#x~dA&Myap|e#nUd5ys5D9)8HApIZ8Kgz1`$1+7)Yh3= zBYe6sE`pg0Yo`})Q%8F6_FaM@k829*3lA-ih^WWyNX$H4NcWtMdkCS$$tcEF@S6OvMaz4-4t^g2-U?=y9(`Y>sxP50__=pO|Zp*F&heGeSlq>*(f$8-h;B4EH?sZ?o{XJl>^Z z*93<)#^bsY8$j3BLOayKn`m@1$eqmeTDsAjLFVL$K~z9Pk{JJGH(<-E9PJsB-;e;8 z^Cp@|a@HFn6Zvwszf16TcoFqCAX9U!BIaQDSpwCeC_2`|#K;h+Wl6yr#8J*y8mokZ zSEDEiZMa+^2lQIaUE^>VQ=Vj`nCbmlUz7tPM-6bsE=;n+#0Y3nT!ZWY*xm~?oG z0q}pp05RK$0dVNOvAoiF6S>Ui556?pL3Ak3gXBarByK6y=>d+C;=-~!257I zd6HZJGH!|c4cqcpTiK5KtpYtuB~$5Ux(5hSTeaGV2;80c_FAX_<12% zxsB+JE=eU^DiF2A6e?#8n+`T$e`CM)e9gw6G{w1}H-$U8xbD*|3zx-!|0>7{TQqa zA=*Pm9LcgA&I@(S*b^h2yI4f$J#( zo}CiYC|NVmRufm{`l1AGFD^c6 zWq<@RrAQGUag4Kq;tU-k)Bmu!5AeOoNbX}6K!Dwd-D6&lcvwO3Vd zIltCH7QkRsE~Zk>N+ns38OTSF2FC32k1KJHK8tAbOrz(Kx;BkF?GP8z;ic6tW#<3# z*Nlfw;o_hCHSQKO?I(XNY8pG-K>9z^*Vp?0oxVD){g=L;|L^oQF(1^eU30BDqIT?W zRaJ0n6ST>v>s7J0?-$@>rx8R4WP`RNJjG`(MyTu)N*8R!wq3!w;gDzmnF8ppOz-Y$ zhbEMrk~zoS@D#lc#wf$BR?nR$n+URl*yHxC4n+cHqB~f)^XB2kr-~6CzvR1YETB51d?Q(F1$xS101&U4Q?N@0JBMV z2}E)y?tg(T1n}pL=Uq_MIAvj&w%qf}I?Q3~EyHkteglCCbLfBNQQRxyC0{&c#(T zp}2u}CaH&Z*79gKuIxM4@_OZ%63*;$rbwLmQ0I$x7}tzACa zC`-yWoB-KQ(LW1++iV9{BHil}`dbLK^$Z>)aE)t3aZsgv7D?VvO1@E^xMe}8Mfr~6 zT12*R-8>FHf7wyhH^xUSUhlV2EF=7?E{c2)tG$;5>Ipb#T?VnET(M2any+uR3O%sS zT9P1;z*wCroUB|l9Lj4sJqxswQ$?&=cGG^9#Hcn@S8bZJV>MtY%@$5#N{Z7*qK->p zFdB<bBJ)M>ybDfTllpuFy^;xD*nepY+#HtbrdIQ zt*@x(cY>Ka2lQ7OP1L=l>Rl=owC3v2y{JJCjbtLiK7q?ioG_PI^r{vOghjNVe&60o zWUw^N>>Zk<0-Fx{Zu3*ypq?kGTmdJekuT~}%yl-X0@R{64mfIN$!Oom@}J}JI7t)@ zLGd;=_Mbm)N!yTJuGS`%TU~xzdU)ohFy7XGWtCN3GW#TqHzUoLY`rzYkkzM#Z8dpw zid_Xpmfi`s)LGfY85DU|G=digT8XzTUr7MVJ zbmTJT(A5l}xk%I*9*rSA?O2B;dFiw)4a z>vK5k>VOw1-}I`la@`FbHVDm5=W$tSq*h!DKAC(F@RY>6ZR9qqh(uSZMWp=%9VTR? zp9EhX2TyFqzlIrh-7y_b3vY%`s6$|_6PL+NIviaCX6vcRJcX$K zb)miPo7dtP*>Yn2$k51&dVcQNjy*gZ$k6%Vn4qJqA{U_$iwI<#IJ*S(&81Z+*Czpx z|8_Sg%d286&_5n(G@db5V#{|{BHseRSdke-18b#Id3gV^4u1irT59JOLp%E?iDkg!gRixSnQ|qW5Ib_FVguXdv(zSfY5E+XGo_P9kjRbZ!=5e#f%N?u&bU@=p?j}?L4*9HsTQB- z)21yT(lM#ZMII*7ZnQsk&)P<%#7`LtMV(#IYLTP(oT?&S@f5zeC2nl(5LG7Nm^ALd zQv+9tGGr0@`)tWBV#l>|p){=C{?nj0B^NltSr4q`oe&ArF8D!ZVOs-Pj$O~`?9 zX($ZUBcjXw#WA9TMBkD^d&6dmuLJPHU#oe#YK(`qy1b8AX3*!5xZe*S5p^aLwiHaO z9_5!9#Vc_{Rm;HQ{j(bS+Rz7nOI@`a(9)W?4&^$Je{^y%Ouic{-R_HrWPht#CwJ9L zr^R4%#Za^M0UrMIC9t{HTVjkjD4h>eu zi<$~Vr%hDmYyC^D%H^NSc-@v6nng;W3=CQI@4wa5ImsH57MGbQ#x#{Mr0)5Kzi{)U zRd1%}XeCVRU!*#aaiPtelMdcYx*%-PBP&F#hh%7sAF|HaG@jtDd=Xyou6PPNEc#+Kekt z-%||pYh`I_znnbB6|JkM)rV5O{2B%ZBU63OX2n#7Br}iT^X{TcG|gVOu*hC__zBXV zeu8v#m?*>P0^wOs^Pk{FB_99fAR`|rZNBstX0VXF4iiv zW5l1VMg)F;u4_~-Ggt@DEqcqk_;`qQkiM^JYjzJB8Sj$`4Ta}6gbMk#V6q#;*~Ju$8w!9M^B@=&t&E4K=*jGx8Gz%S+SUdILVUo zS#>2ec3(<%4G8;B@(L-#G2yEEsHDfK>Sg!uw3Zh4r*(=FYuBo7aHRU$HxMLO)zeP- zDr`88$(iSm(b?UWr=pWlInj2}xLrF@my;9O#Z4Lk^2D8DG+vdHd^ZTToI;{y$VpkoAF0(a{GT`62E|bBHxnMC#hi_M-^K`-M)+#Jr`&_v9 zdOJQgTeS8`ERmY+8a(BOfJjhzqO7jrH`@Vf=(NJN-6i8YD85#vrb+0|W%gjQ zsKef=KpYrT4A+uCOSDkNDRyGG=Ppb!k6cSOTFt|6xaZHcN+IAH!#}8&CgEg%V5ii{ zVx&JO#S5D?HmSzIQ+>$pnNBBunc)O{M#Kmt%3m^1Ox86pMcOCEB7y}pIcr8w6s2BMX^)CdOv~<@FHs-SpEcPQ#&BR6vKI0+$cSOAj@dMD` z)Wd62-^t$^U8hS{iNECKnVjiMjY0RQE2|hp(IQ&4Y_!-i4Yroa-9c=sKCW>2RV(cq zyRJuO%WIx*9uBx)xzVI0v9VTvwDbqx4bi3`VC2srG`;k39(nxru#uR;0S1+*j*&^q3i}d#TW)^|wa5 zzU{tWbJ?aNDO>1k8sYkrQV5FVYLQEh?4bdtS5w6(gOQtiuh86?oWZgp&41XL>7{Rx zocIgXt*3-{=#>VwMefnL_NCOC@sDlW3y_O;G72H00!3u&*&CeL4MP*7+qI8A9u4;2 z^lIz&f^b5Dfk9BO6NP4}1(E`$m~{P${`H+OV~-Cu71YriNvtBCBGT&bK`&V#;g|gq zwQ^IN43+y901;^em@k#X`d4Tmwbr5_?%w`aZEXk15l7GQU)Y~(%PBd~@4%5h46M-W zD=-{O(@ZA)K?zn~O1?9blTs)W$xvA$zk?Hac0N?=fkkR4R3j_Lx!`X>*qU?Qu5toa z{ec!sJ%nS%Ea45}_l2-Y7kzpPwEbJV))D@@T?BPD#}>e7^YSlgF}@L`Vp-|V0fFiH z3|TfxEgGm+wM5MDch>o8;+z;uuaV;Z;bhw;eIIMzGM0sEM_?HrkO+55A;SRvo4-|2 z{BzL2)h7)&m8v!OQtmmY+SSP>Al^GCur;u!EU&jzq`FXaIpcs;OBfw z3Vn2zSP+!8VN8!LgHgwX83=TEE})sus%*C2j;d^QVjd@}sRjw`M_E8i1tpk+zacb~ zRE^QGEg&alULV}E;fOK#CeKP>sxXGAwWLtpDh3o+M}JBj?pvf6&Xm%%2URh_=U;M$ zDtT|ExarkK9{4UG&rPI3$S%s&{NUV016>OqiqIet%6r)-z_e$tP%gD+yMP2y)~_hn zsyeooD8&9F*1%OFw;loYKU|V&&9mxc+U_Q4j%MheM~dn1DOdZ|`y9M@+okRSPVG^+ z@iyoCvPy#Be#c(vk5|j_zte85QhC&hOJ2z->a4_$j8&-!Dy=rVCfZf!!wAM+H5c8L zhOVwiQ^ka{SYD8%+{XRF}gm}x7m{0Jm#r4C&%MBT==bYX8UaG zy=?MT0>8G!bH@DsK!BRuT^2^ewHFi|Dow}@1DAJ<=6iXt?Fms4){tog9D*?Mqhi739@=z z6*_?dD~;5W%z#~PNhSjOhYeAst3fc(ZkRHhhRh(Bo3ik?1KX%w`YAhBp%$esQS;tL0;pllYUebR6yoB{101uSqV!Fyo2UH|xIKm>i1752` z+GdK|;!CraPi2{`?$Ugm0?HVO;s5(6o-)K?Z~JALK6SR2^(33?t2B03~0=2K3ULQlBYp-KBCeBV;nQN-T1o2Z*pj)5Z<9 zq*trD#;mL;3o4A9XL0Z&xex~4C1^Y7cRgMX>N|v2n2Aljis#!T4SMu8-E(p4yi(>| za#0(YrDPZBFHZQ>B>RIHMUnM|6kobTbJI$^51eJg1#X zA7sQq##5)4awX}c^JJ%scZkm{c?&a+@?&a&xxjPdzqZiv8tkDE0)cX-W}Fva9vfj&{Er(#s3aPf_X^$ z*ljE4SEqh6LsvG8hxv~mT&lLd7%Rp-#*d`+O75S&QAR=?*LUwH!`bA-;r@*q8H*d! zWp-iPvo{!t13g||Q*7wFF0Diow%Z(0uix=qsmq0Is%5dOfx=5;{1@4BusJEeYGp&y zi#ohTzoP}PdgUU#RlkAeV2ooO)nV|-mLW~ZZrR=sbzvJ`!e46kbS_2Llw|b>{wp(R zYvR`AYQBs~A=ytfQYdUtoF*(sr$Ja8J1qA^M~k? zQ4t%C3*uyF?@SP=*a)_(fk3aFMS4%^7gY>gl4cZM58Na z$ShP5d+-qTrUCC{EbzIFY%k1+<8xmTfa5_C$GlYMr2BoMu=JMLgk$mCe!B%FOrx4z zAb1fD%7pDg5ge;34IAdvvSO%=nJcJm8Dqd1eam`O(M#Vf#)r&dd{UxUDYe+LbSjW| z_Cyjn5AxJv_vLoDs zp0dK}kL#;cP<`{fcwV41D_lEyi<>}7jYZp4)6>gfCw=-sQb)w+DUI}a z(#os=$!#STYtA<4zSsO#%7{PZosLkhf(fR*dtTB_HiWZ4?#Ap`s;Fhd?_m{NL6~l2 z6%36m6ZMX6OaZs?*tm~UK>^nZ0YM_rBL1=tF^!*XAIgx2Yqs$ldF_Z_wgG@cO>LPu z=b*K2xQq9t7B;>2r5uw5pongj28FDLIp)m$x(J9$eW`TRnmj*mMNyC+y1JY$lH=pJMovLyT$XrjF$EIBRo=*pX> zBiUvTkAj>9Z?;Uz>%>Wog_Eit!|0VMAx+T=jD~j^90iNivvi#Ps^9yi!+a6oWB@O} z*bEw|j5V65B2MQZ@LYd~-z+~u&KORlL9*tx10Nz2RP77#(P+$Gt3#g|c%cz4aUM9L ztb%^xFDfutLM>aXv;$pVO#JJ-QxKZAt|A8lHM~Eef<11_d1;?BV7>qHpY;lD_yXHV zz16EvDZBR>+WAzS42EyjLMD1Hum4h@8=|BeU6A;!C`*oQ`^S%dO%)5V8@U;nEQN8o zs<59~zkY&&hL|SIDlfA7%6ait`y>q+(p%p$B6n#*y)^#5)#Z^)_WTgb60V}i8#Ngf zJbNBB87nsxftNUx7P0>uN*XS*CE$c9Jt8Sw>|`Z5mtlrUGpBsAXq7rg)vpdMN$|If z;Rt7cX9&53BO!UwZnN29_~&@TPUjm_YYX$l+ue|Bv(l-UJEy6zcx)fnBG{_G?7Fg7 z@p8Edase5Z|NYtgA4K{`W&U4?w5=76DRIFfPf1bT=DjnlS4`Nytzf)z({E^^gKGbf zvtD0ax~!rBs`;f7?i#&=eNOAKAjmvTB))IE)kV=U37%Zy5yT-*_>Kn!rG+T0I*4#c%`yv{<87 zxVMBu)vUGH<-2e-=$NpgNPK3pxKj!Fmuj+xM25AX_e zqt-PHzh5r-no#@i*ovogcW@3`DjrDjR7Zla^z{zAUoHBui*1bV_O4XuR3{x>ObXNw zbRB1$YRf0DBq?(e!xrc7MV1wr>9UF*Y+>Z?zxPD;Q$;nfmczM;;hgQD80u_Iw z{B6(E8fM>K@_ILb~9c}IE{KG8fp3yA;ozv)p%H-!+RIEaO`k2 zVQGF)E@IiXb7icR#g-@#2-4AqcZ7TX*E>(+yH7&77#~rvw+s~bnbNJ|MaYx`zbV!+ z!~BG8$4+$PT#6hwgGnd$|7^YnJ&`zRj9fsh8?`~isRG8@JN?#U033j>)COSme1Opz z{MFjfdu@hj-ASqRKJ9LBdulM2bDd2<0Pi?i}952qN3lsa^-zO)C~QFpXo3Foml2MY_Xc$ly@e6V8~J zF?Iswr49*H7m~he&8mc8HRMCFOy_Iq@P-{{3@dX~ ztF^tm!E-4_XZ8svA7Sto=V%Dn@9Fgm&7{l#h8znv5^lW_sw-fw3922m+=dR0^iQ(j z>&8R`d8*+9Q@Q}#YtcO_lYJv5A=BOlsYkQ!W(aKtf5|Ur&BtWZCvqwgN-QP6+GH>L z36fKLo&ogI3Q#@ditO zRFEr(p!!A0aS)ZD=3hK@qj7^7e_obGbfp`m`{OewlcxetLcU@ebM1#T0+nHoV<3svi*|Z$^L}&Emn;4x>@3)HY^AZWcv4- zZHl1E4m3|;amxR(y-%o?uR>ar-{$}1QBAZyw8Ej&yFZw+rp(@W{4r>*oYOZp1Hcu; z+Pf(FN(<)vH9_=d&BRRfLh74B>70npDfv@>1_1jwBvC$OB|ILae|EZ6UPAW4yP3IDKPOp&78?$kx6dJ~E3EsLX#3ImS6X4F)SW;TDm(C? zzJJQ*WT%`E-bEw?4A9XYiQfOf(vDt74=xj-mSjQ5FKd6jm4l2To;n>k7Wq9AJ0B7% z+D?wvDP-*?;ouGNP=TF`qPGi0kMMog)&qz%b_JM&cNJ+XA*?KsG;rC&ag`A>uSFkY z3VP^P_r_I9G*-sWAGuz2vgZyv;V!#r9@}NvReJO~CC1mNOMP-nG90fBVCnb!HayJb zMS}^J(5_q`HKsyZJR?j=#fH3`zB&e?#+FUL- zkyHE1CiGCH7vTQU4OZBIiS5n#`&TyhO&q8umM;iH$-HRdP)3j?rg5fh~BrEp&3fYR~mmaM{-!qXOU3CpSr3}d*vJC!d{JqN6CJFAv@gM`YQa2Mcd%n z15)hWdG1*1cgx1Epkc#JqAndys)votf6w zTnfA=qsnGF-S+$jpABaBWbaa}3Z>c;9&T-0AhpwGgY1L-!IRI?+u5b4xn&B=Ci4OM zCF)o!9P=CP-|r!we;ubTgb>7b-y}|FK+7!j7r4xE+@LFG7nzo&G-)`2St7WCk_k` zT_}ywrG`mOF3tf2Jp!#L^*yYl$gWTHVUIfnd$esOD&)K4Kok4-)>3);ISp3DmaPF3 znHzdJZW419)#S~XuroFf|Hp}>~vP2b-{%H ze@P+wzP-MfF&&|sFMCJeCH#vaTGnJGsiN7kX5EpCi4ZGCHhsZeCg0UZGGnB$2~cSX z0Pn!O1&=UgxM^8w3AhJmP!z}pxZ1!d}6{p7B z1euVpkWPd;#8O3MiREm|*AYylSy3C`wKVWM__u9_vBHn8&|17v+3!dBaP)HHc)k@f z#Y`V~`blP-{NAr)bF!{FFmVLwlQ+DGRd^lL0 zgU`(f8HMtg)udXAAz@y#2fJ0Sn6B%eIq*TV5HbDw7cn?$JQhU}OB%U)r}2^4mSvS7 z;x6{x`5&ZyvL@9B`(Ga3L6xH|AXlDv5>l{&PT>aiO)!8!()VBk21Ft80L-1KQZT`VP|ujtX7UOJc$l z_&5nFatO)~WQRi<(jsSKCtvQ{koC?6+m5j zc8r7li+}AN*>(DNyb!n3{?g~qF+&4=*gplA$P8fp*QP;a`H!xVcdl9sy#slj(ulsd z2y}auX@~&SR&u*wI|5AfOXe5It9vXhSQ0W!zy~b+0O!bDqx@zSmXL0J9m>g$sVcv8 zMx_Bf20mBUITebDQxoY0ql8VqS*n^2cp*L1ZCrg%q6pl3pCYJo$Tocub%B0wZe=BI zTU5MEaM5|tF@<;z1s0$OSHAtZ&1zp@R~148%-3b%?ME+|op{~{zytWs#{R(Rq&By_FrzOG?Ixe?k6IJJ`Cp*^|F_&cTCA?F)j z5>aOl5Swkp(_0LEiB|so@4?Vu-H@%l)!u)@R%$qTGH)p&=aF+4Xw)?H*ix`&^r|te zH@)kn)<*+Yr7B}1#n_Gqj`QuM1OsEoB85{z#`Hek0^}=uzjX@b^pWJ7hEcRV1PH)b zrft#n{Px}M0o^6a#PygVo`g$5R`(@F{@qcUB9E2mfQ}f2&gqsMb4e?5sIy&BDM$1m zo<{*wLb8a~tfM=TbtXpf3V^z3=TjaI6}`>DoAVKjTp5LJ$39UrQvBs4T|+%KpZZdY zqL>-ti@?`6AqA1nN-QEPQ{WljciL;qp9OEq3jHKiZsDsM+J*#D-QsE|*Jtz#JFxqI zDH}EaDjR2O{}*K=kncy?ScUi#+$VP=&N_PtSJs}KQ3wOuKMiea7^=pl^YOSkU*geU zEtsv`(j4m1QI6*6K}<}gU=)E_D{8*`b(1kpJo@UH78=n!?Y6^C#(s=^fkCoR?4hJo zYpUN7U~0W$7_wrGILRTxO^yqM0;10%AUK#LIdZ3n2kAqGLkP~aSNsH??5^iRJ%6F? zLI*aDA4c>UEJV*B48YkiTphOopfVR5N}KcDW^XdV;fL4cbR98#;~kPv>3Xq= z_|sqHBJq;Gfmn@G{>e%@HZ!zUIM-p9Ph;6xu!1UlyRu}U5o6U&U}>=^b;8p=NWQD% zbYDrDcOD?y4t^_d=8CEGM+xqnt`80UKT{=Pe`~VgZ(h1Zxsi17kEz0R{tVVT=~pIz z)<`A2UODhPc3|Pwp@ho36Srm8HMw}%>Rtu*gYdcnm1ttiyWL|nsQSC`)#?9f+b%5$8NMYyZ_j%*H3$_njd$bev_Xao; zZP-2k-!!~Hl!&&KDee}M`Cfz&s;WAY3_|8>z}oh`sEhY4_}?GrSbJ?SE%%oxD816u zc0t5s6fS$$p7)>8ns3fjr?3B_uWqCYUN zCy`+UO-fj;|DoU&YgvD7ie>|krVxvszWW@iSn$Ooy>q)iq@Y9##KByU_9&|53ig3g zNNIvP1bW`z)&-fRqR>hW(O@UuA@{Ebj^dRwHst=>|GqFl?dhIc>b;a2YTR^zMg2d{)fG%WzOM<=JT z%7rzEI4QbGY2Y^O%HNgCq$yEVQgGV z)2Mxn{}y4Z;#e)ZLlAG zCT&-_RlD2?VzY7|{P*e!1ncQa2udptd0kG(X7Tc>wi1T&3|@leX843&F4$pVD}!zE zK@9N#MX>3&r$0WA-FBCG9`tqU?rqCI(u;+azNR7yg6)g!#RHB$^@T*VD`T{&jJ)7GLqbi7!m%#sx58 zIlwGSRc`iYB5rHERiGl_kl*kqSU%kcyt~xB-c3Ad_>_MMr5_7{y}EMVK|eDN@-_(U zwxLJv2Ej4@D>T!dR6hwFW(H`lx~{Dhtr{|mJ7`AjeWn-pet#oQ@k4%4mFM!&=hk1f zrrl}<$`G@^6F6uEpTe+fhVx6abmKk$cs9~hiO{E+?ka&Dj*=5YiN}q}0BUMgyv1e5pR0Tp)Ah%@$s{4*)YN%U3&w^?9;F(Dh!Sj(%sSVl*9 z`pIZ$=m{eG1!0{yk0bBlR6D<_uB*7HZI7{u?<=BLD=T-Yt|5o&(DPr#*J7k1@GT$wFy|Kp_Ua_J@@4Ex5K;R$_2nK?g z?nD2hW44I;Mf!4W1i2E;Op8T~3@PlX0n!VX@cHpt@|ELrTDQo;EZ-GF$XSK(p+r#y z{&>p|>0*hyK7EV41~;9v|Bd_c@~QCYlgGuu`m=zk1DpMQ^YH&pSWajAJnzH#Kx99) z%{GH>kd6EA(B7Le1pG0-GT|=({ z*I9K=1|Vq%Y%6(e0*Hl8_)0W)Z;FcwZ6xBUV}zi1%WLNx?p~$~UX|gAvr;Ge4Y3Tn zwf+qZF%iZvGlTxTO4vC*t9>!PRzy)xefx{8hD8&2um>OL%#zG!x+Y&>|R;rBFNK{ zv-;h##4wGL(*sPw1=hdeu6K|hZcQsFgTr|R|6Yu5_@vEYdVAn?fBH{L2-Fq+F;?%gm z@m$0Dco}<3X(XQkI26ZwIZt{kjHsiGGhFlJ0%+7~_<93bnj(2s;*(lmU9}w}lAh?G zgz9-1z73o(VoCSPLw*adkaLGml%z|?;xboNal;V5tqXBT~q5->)* zkS5020Bzw+|3J(p?s~pO?KNYuy@Q$s$`E)T?Pv`Zs zj@tTQ6iOaR@=VG=Xf!&xIW0OWYQlAN-8=Cp*MO?>_JwwY@}dpT-%E_mnZm4b8h(^m z66xrwMXF;)^1Y{|u1Qqslo9%b7g0!=n#|skn&3d>JkemwV(uBH3_z2j+7zTF$04Ow z-cF8~o{|mctVZ)YfqT1<4twSPCFO$9q`fWiG0Jg}qm<1o5$M9{i;Gt?IK%-~`=wvW z8K>4iSn9)9hjI1Vf}&G*-Xkgrl>wT8XT@b4pt^{oj&WT^(XHao?c-pq;hF%ZHY^CI zM6`h9g!PHNlY@<9DMu#n3v*((^05!rG;~TZA2d3C9};RiyuWJWd2CRXO|Y`l(2FIp zVQ4YUQo~J_s>1Ff^qx;98tgeG!pOh`D5mP40BmIqpEA&W<9s)m-T3~ccONX~_m|L( zKsM!M)gSv>GGN)+i6E&2+{c5Ps)gMA zu7riG0@Jq&=H43C%bMC{zq#5t{Y63%f%}m;KMd!JvcZ=Y zaPTVv)aF9Wiw(16W)qpFHr#K?6vHEZx30jBDO0*u*p$+_>;?<*+o@VSY@W&?K3xKP zeUUizlS6El*+azW|;$obHr1HIJH|<@Yn&K@KS|LK13~Zca+xnoh^&=uNXR5+91} zR!ZEShR0P!C6FXB@db?9Qxy-|Mx`*p;LUp4L$JOV+?5z6FBmg5l$>%=m+Cm}s8YikUE8&J=^Y;Zo(hiGdC2=H z)zvC7t!I~Ui!3i9W2IW%QzyL#T7{hviKbgZXF6j-&( z^>_V)zga%szh9f(nkL@}8@`yJj`1d)DTZM*I1&g;xs*|d#`OfXn3OIW2Z(jtX_TO| z*#9U+oTYw;;Gtcsy z&K1G6dOtq_J$w)S3bqbat(MsUP7xaGALHZy6`xns5E~$-RMDQC3CqQ|3zppdGo5jm z>)F;b7a7bin*3f%mSp@F#_b-{W%hZ_O0x(wD~XnxaVAsCbJGdUBNSUHwW=vZUBn=! ziBObn@(sginTcs}c+cZ7&X)ng^<)(evenp;)Vk{S1(^6(InYu2cmP)gB)%qmf@7UzN$C*ukKYgZ-6ouCRjC_RgA`)a|3t4RMg(JO`OQ(%O_6eLVFBl`g95iW_zXf zO4vme9y#PmACK=*C>{)kbkWe2=EhH}ek{{FvO3RaG$pSppAU`}tlmeKZH5*{hMk=I zn4X?oKXZi&hzXAP-$Pj)i6~yn;GgHtp(#jjwEPA@WT>GYT&kJUq6q>(uLZwmF?7ic zM8)Q+q`gM_=0l+s4N3MStJ1q0EtFX;%}?z!g=OrigVCk%0ha&}2Yhg#nN}(kF0tbX zGFXw_W83-z^jZ&eHYaj&pm|YsO>5f}9NDq&>F>2y!23%Q;J;3yPj|bWDE*~iM8k)! z1S&D2oVbte?hwG$9?Fi6PTsOBZ!#HSVrN5oKaSsWd4~6E2dWtYBd1AD6AakqwJt94 zQ`RLCyo@2f>7Sm>@JMw~DGp~REfAX}5E(az%J{I!W+H>tc9dBusCrkMMYxIE!_L)Z zGAI8?C`r%{MAgSeGV@blhN;=N_nP$X@6G)$iOp~B^LFPWg(jKNc4bcy6+?cd=j9o{ z3SM&_R%3xH_tbr|w7%k~vD_S2o=F$*rejW3-bngL`Dzw4X#;|O5hh|7na;WVH9Ec6 zEnxd|vOLg|0*j(8{%%6(H-VG_u~xD>Irjh$SR0WRvtU13AV)gfn}9KqgE;oL;I9&` zb|0UQFCkmjth-R=#3Y)Ox}E)y^n`70a)ajpBgW6?$3n;cq%Tgg7WUMJLEg?rf-I4Q zq%ZC~M+dYVS$7VIq9nbFOYRjsU@LI5dIAMR3Z!CrQp!)eB>%X>jaop~>QVBfB`$?E zi`%3dcgqti2crZd?1XGZ7b$HJ#f+d+*qeDpP*F$I#PZETNVH!+Rkqc{n1j#c zM<+9&PL;JevYiqS*(pAZgL}I?e}TMeU>__dTl`rLq<5dMP74jbSgAU7x}L|My`Um^Lp#q6h81U6>M6;UFa0ZFu^4Zf}) z^#XdPN@E5`vIW9IBjCw*YG7s5bhw#O>KKO}$Ec(GB)Wc;=a7k}PATcSO4u)Pk_ora za@~vALO7zbj`O``cDjkh`Hp@_$2_tQ!{XQO)JkE$(Il>%D26b!+7*s7^IqnGzfhVl zQ7}}~ThhoAtTjp*rCE;|raiZ~C?_!xmm)R}L3S|DK2ImAw2d~@@?0k>&5b&1P0+o1 ztB)1+hEYlCj`X7)=c{CC&lNI|@vRUD5uf~;BB%d%Dcz z9rgr+4M_gW+g&gib)uk`8RakfU(&XTgDT5QIS*E4yhH#Byd%Zp_K?{=hKx(k-QgzPi2s?k?v zu}K01)$~pLRtFg=vuVc@8!QM++GZ`hV0#cu)XQWmJkTxm?_q+BOHj_Ms`8|SM_%1U z1WD6Vn6}$st+^6S`_?&cu=}%*1(rqFg0_hG?uFH4a>QlAncU+wE+GLlX`0Pr-=Cs5 ze|GQ4%)YQmJogbJkRu;e-~7rn?qD2#JAqTw8S=M^;BH6<3GVzZ*%{)xzJ|@3HY?R*E3z6-ZZqj zKi3cNSk=gAoX?>wsehS8uoIZ3mnS|o5pG>D{TA#vQVY$UPc0rO68~(SCF+{u(>I&) zZ{6S;ZAi1=s9%hj@L0)MwKJMrRLCo^vN!jvIm5xMsD(T)G&l)NkO2VkHP^bQNSm$A zEr^;gC7RC>HP5U}5HvyEncuX`^TU2SVp@-Lg`+>bL2X8AxeyUHPHk^=KxUb=%{FG4 zG;?(bhB%oeUkNs4m^G}pqARa;dm+64)QW|PE4gdp(QtTb{*qrw1;+22SF0;*H2YPy z@dkC=a7Z8b88h??hf&RUe6gzfcav#E&qCS-HSRLBC_XSTq4mNS^iB5%{<=>>{2LE{ zr(OdOKM!*j-WKWbQfoP{ugsq-#QiHzf6ot_!uMyNcY40Pxj%J_ec~(yikJEieRTY~ zG6B5wao#U3Jc=}ei~-UAoQ?07G(NZN8v%zQIC6g=9pZ=1S(&@QMbZ3{*~GDvB5!Ff z@^@SxAo0}xF*CIDisvMdn$VgxZ2-y=*1CZ>(O@5vW#{i1sbK;0yfIBMjX8 z>s{e3oZ#6%Ml4VI8WIuY&tsO)jg-Yh9=bR?GTQfMn>ZR7=x8NoBag$o#%t<3tiOhM*ZUi`aR;aJv6EK zXkYRG$tKZwpv^vZG@E_e0jdDdaF3Uf&tHQ$9==;w9NywnVlDY5P_D6=Ke)bQ%!KQe zQu3SXw_X$sN8fh-PyOFDgY{MGL~7^)U?bU05(RknIUwW|2r*3RSQ<<(HZCQs5*W3WKpJB`{c$cP|FSy>u1IYq zW6w}+c~sD@d62$5zV&KE6}PUqVH*6j0F}EZvP7HF!*`&x*ojtGxs?%A-eCxbY_G$O zntIqLql+JRJ)oFve92$t6he!~XFX-b?PY81i}KdzVP>m|B%7nH z5Ybf$ytB&eM=5XRF}S&g`2rf#FYQwpWp7VYY5}J?gj=+=KixJ(z&cj4m%=Qwu%T!y zCuCEJ-Pj;~zfF2|h@q~SziS)dr7oepOPWEo8hQ(XiI{!CaVTY8a2bNb#!kzEZ$kL} zlExHaVpq29or#(68{CS6?WI3ByS`j!IviD|Rh$mN$j_}^cv?d*Fg(jJ--$U*1>G0e zcSn7+E!WN|&06T)z&Yw6ZP&>X`i2LK-oF78a2G!tn`3R{&tC|_co*d$;iIb=etpwt zj$RF9k3ULJ3i74NZjV-Gy3#to(yU#X?xF&9z_xE~>|4k{kl8_#5OKqe>ocOgXphBg zNdnMs$iLg@<`%rAjGr>^pd)|pf9>`v{?x#!2;wy?B~Y>$V`ym$yYhhaXL9D}Z2??x z5E-iKO=g@f{(XsEevet9Zno-tX|H^s0jb}84ks!qI`=sAA4wlnaM~wD{e2Zfw z+o1PcZ8P$l!bn`_e#g(B|Fv%@9$^QN| zh3n(_S#JEr{=Cz@=5tx#_7>grRle-ApVwtG7M-qA_mY0r!BV%qKddlbJA*l;<0Q6G_T*rIqVq0W zdQIBTF=qQ7Pq{wLGMa!4!|QW<$f+Ha&b~T`CQ5OzHe~h&QIx8+TN_VMK>`Rx*L+N+L%So z*e5!C*P{t6M(UPWE#7uxlBb1ZF&-PX5f`wLuvIp8CR>_C+GYJN&|SADnBH(r8x|d% z0u@PeUv=Xq??n&Hd>gM>M>1I-vP)lFoX?jnOJD1vbBe?=81Z}njqbrz%q?M7Z^1SV z{FXcQ%u*S#d~uHidwr%zak`)iM9G_q3Swx@IUWiQ$&o)_P(j5i* z3$;v~g20p!iKE&gFk?$MWE!n<=BQx|m%3vS$~(x6`rC9z{?fr@t=_*ICnNweVOzbG37@*QE)9t4bRP`zX| zo-GBXC~*$d<0Rp09B7Huew2$3Z<3v@r6b3QJc#y5Y%!FAplAx)rrK{Di;pv79GHu9 zAW>So*wr}LjPomX^sWz-!l{Kg*VhN0%8M&n`zDF(` zDpI5O+^&+S*q*tMJ&2oz2R*8a%y)w1tjd|ltevLS!xFlt;@Et^t5OXC{lG+n8XcNh z9n-%$+(mq}b}a=F&PUGD749LyFsIW=h77-*N)!^fKAmW=8;c-~#Xkp){#`2!7vSl8 zT6Q47L%QISDxK&sBGMqEH8Lokk7;_ZoAL+s)VJt|)dY-bTu;ok)m|0mzA2N+rM$#e zB8XlBqBm8UJyKwj{@{T#R=iPH_qYO8B+KClGy?^q6FmmbgZgtx zstqNNg^L+;&PQLWM$Or!j`%7t<3fM>qxc^rR!mh)Ksz7)kZU&^JjB=gC5Fc$vI9ry zlp&_3F$N@7RS2d-nQ)nIFX(crQi7J6)*lKqz&TMMuw|_hVK;|FyVH;}UjoQx0Q+5< zKu&r4QAQpr$09{O#|vaMNn%TIvlyg4U2s|q(=UN1fqag>f4F3Z7OiV&^}zx4VWSI& z@?Sl*mx5sSOI-KS5nn%X-$8+W=Zt|78dduZO&D4~3>-$EY4K0m9m@oE4xSg7POB$| z*m+Ug7wSxVKpli`+1vVdB2l#y=dLxpW6we1DXx9Ay`yBAh5%;6KCDj(pA+mT&yh9% z++ulbIVzqTY(vv|B>WfI@7H9Zf>&|h z0d?ymA8=IUiv8+!vQ_bM^RM&+Nd!Yy#=&?t{mitMNvvSx6ReU{&t>96ByJ-{YfI*hVCB^EK%sLDKUb|nmg*v902t@Xz6Xgb_Po>JkT*YpYL&MYqg%^jwSVeDJ~(hCbG*~M|KH?UKR zs1|W>rOQ3jo!4oaCB+V0@0stKQxE*(OdKuo#$oN3Ao#7#9{i5tCINhDHONtuE5YWI zKO(s?A{V2O8GnAhc?>}+ATq5_)p7~48R{4>&;1G)`QC^iG?T(8*qCTR8& zZRy$~+t_*T_c=a&C-*ShqSw%M*0hGLn9et_&+X-8q1_|HFCxe`5m>{JFsUZ#!t0m} zUE+Xq$+~%!G7N%@GN+V+#ql4CaCYshb8j;YN_fT7j7(iZV(MQD(>ft4`)q+BrVU889mAk9|3~yM|qFoXyrMN`M&(ocbrvPN^qWgVF!fOKkv*{q+ipW?)!B7_!zK#K=r}>+#zTxL@5oLx{eo zU2cxkB#Sx2XL{d(>o3m_pgYnEaiPbGN~pTbIo6ygKm@0T)`EdDj)BM}zNI@5#hqrU zWa;vQ7p#0)80r(g2b>lyKJwK8fIqPhf1TRoJvQld$p-_P`KH;&zzi0s)@@|TjWc(7 za0Teiy8A{9vJzB$1iM4~EU#pJ38y1H$$^E%0*%0&PUSq83qrIlIU05G{nCf=-*K`9 z93|pNsXG0r$~U;~4)kz0t&1DT5JqKu&?-eN+5uBQp;J^D;XOZMMr!%mTx#HewS*ti zN|X)uddC`IlD*B?+r)li_|i79xPl#dS~vd9a-FWnU?N6rg_ZPsyDJjh#eeX2S~(ou@+sGp z%pnFV9RFGizM*37E26bcG+gw`T_w)7!+z^!HrL>>wG=kBKHBHvyeIBW!;~=jTmq(b7my!H1!o5Jid$%TPSa z?t66wP%^^SB3&u81YSx8gt@5vpL#u^@sZ@S8!bsQ*v<0F*}x2ESA&s8f2a7q1jVYP zA+R_9j}=@1hH(*xIf}m^_It_sh?ux8r#ce-7Ph~vrD>LlVqqTP#2n60qsPSw@Tl=e zsg)Q%DL7nZ$v%5z=k&m7@UP-wvl?ZwF1rCNDfz?@h~^RDnkHuFqheDvoC;7Nb^pk% z6VI@ow-%09ulmz-?2-0Rk3yxjf(?xNBl}7hMTI9&nl)F`yw-L?li<#5X$k|xMU5wo z^V8Bdh{k)yN(i{s&%SZv^+K~X%D+|CRa3;3e{IpduZ;t^P$l5ovso4 zkzMU{{5qqJyc!;8|>n9xc@8H%l;p^ z9<7z`*?Mz^t(+%+fGa}(RD0XTH#`2nd~h}+ z4dtVDEuPAPfltNylf9J9@*C2sk++ZNUd1~AI}y|H+`%kM?B6*)|4U_1Ox^}#Z+IuY)kA%{36K8k1HL4KZ& zLz+b{f1S8+*FR_2cvN_vfBEytXOnonK}G;ua>l-3vi|Vl`4bbm^z6$|W6W;j?<&c9 zA)@Pqwg5~cn{N!4C|eQmJ=SEn+dDKX&(_XX{lG(Z;>*S2pMebtO3{T7s7LNChb6>G{ND zHQ{LFZm6N!Tow~svO0lO@HawI@*Az7nwwFz4!43375DNEFc~Lj^%MLXZ>h3Yny69( z?SBA`VZf$vnzuU~J;PGmV zs=c#D!O~!B33oky?HL+5_Jr1I_u~M!e*kvJZR{uBF^M%LNq(jfB+8tN2&|5VanMmd zH@*2c?Gt9Rurf(qii2AG6(`tN0;hofOEs|-qOCdKJVRuf`> znS3#RrvYyEzO~GA{c-~>!ZFv%mJa#QJAZk6et+G1mh;eZf#eIprLkH^{g&+fm?l5M zg=0a$Yr>hgz5^TbL9_NRL9{PHufd|Fl8$ofisgzktd!Z<(Yg{eeo-Hq9jUonkfEy1 zk_so&?Snoci#F@sB)xr$)n4E{wMc8gBOJ<26|1vE#^Od30S6$6k&>Ir3EM z)S%-=n(~>MhHjicV3SmwwQ*G?-`2N#r`b`eid7d7*K;ui6i%mJ<(}{x)Hq|=Fh!d# z*lvAc2)Q}KRXIZ05LxO3hX-f+I@o&a;yyYSnUxnlD#9#cS{e+(&g zWFYN6SGD6wGgK(@p9f${0*c#r6xQQK+ldL?q#%q)yrm6t_y7%o-7*4BPx<>Yy% z{wmfD>(&b@F!fJA2{lnuttPYZAZJ0ERODC#xm$(2Q_gJ%MIeQ{=iSw4tiHaO8AWYf zF3k|q{6V=Q@&vzl*RG$2ibkMo<`?CL&)r-ot z6}bOes&Sr-B6;__Nc{K9j0pHW8~lPW3`|$LZ#i22ZbP0_JP@O~FJxr@i1k2ZAT2I- z^0GDc-z?&%KOrOf6;pY2#DBf&!IrmDTZ$PTEK=rDbP4xKl04YD$_Y!4Pt@BOmvB+& zvos=(|6-XTlw^-;LA10VM+E*jDAG|7zzuuXwNxI*JR77H z+*8wR>gs1Gk1G92o;1e2{LEnwg+4`#v4##K?QPG9sr&U~RI43D$Nyid&)c?iqZz5H z(59HKX{MH%S*F&_c{s+Aq@K!c=Q486gze1*d^n#R!uOtch7_9FpHZk^B9oa$7tdi_ zSnvZSEl9?2?J~W}?O@>D((?Iq4zFZ}EMQbbe0Bs`zRGa^LD{DMyx+bSo^T`lE_Ao9 zq;a>NaK^*sq6DDiFp2%Il$<{TicOZBc0)v;2O#u|UI7@nU+E8KXQUmEo!U|pZ|?ty z^^jd#Z&Wtu1s&7O}G$ARJ$MUX@_Y#uP40k<8xxw27`Yh5^*B zw>MRIiK>Nx8AZa+lZVqv&IC8Ojmj~MsRFb!n}3euK~`894ef4-$IB;}nVYaCAo_kl zz!WJw*Cf@>|D*qPHfjAY7EUDnSRZaCtgmjturn@pEcthG6gb_!YOeAJVY*I6=Z4NE zL=p=kPODS90&Asb^iA{LUBBiZ|36TiXqW>8oTp*W@;C<>1i^MOE>_?_OsdKKI24%l z1zY~8K>aqnVsX#XL=XIu+c=_c9)4ZKI711U%2D_N z9u`+;)KF@h>PZq7Abd&Nzu5OWzG;rwJ8?hCRc~<;oIfN|KUzBLP70Ew-5=MVmnY89 zqG|0amlKuvP2|;*^nQnxwG7uxgn<)eJlNNH{FOgifv#r*>}SRKJ0Cr*9&r@Hc2hxx zR22S3yo$W-Z4|4ibE>4X>@v;P9vvX5vTM?L#Z6j44w^fpbM4w*(b7K-*;|^ONYFvU zMV2fi`Huco!!r)OWNF*}I)+vI2ZsKNOMX-tQR*&U>?>N{Su**n%jZpn5 zDRj=IW5i7+&@8y_kf@P%3_r_k3xw&8Z^@#x4M=_cjRv^RQ6M#CN9EY_+v(a7d|6Pj zC0MU1$({e=Rf<(=Im+o$3|;Es1ExyH5_L`kMy2LD6!KM_@j$45_dzhhf`AjlrkzPF z3+9%FD(dqr39-!zJdS)4E*AEB_}5>}L**x=7ot$a@A8%~Jr%fZP{ z`NL6rc~Ou8_kMCB>{2p4LqK;51k{vOO>a{&oht@?@4ZKB z6RUfHW1od)F|+BoeDV8_pdhdLf z@fx6$QT!{r3;p-0CN5GEg9ELo>%$S6tg={7t_xz2b>PggwQRr6ZfP>GbU>Sqb|daw z5~p%$i6kL617J&W%z4Q-_-45zvAz7QzPa#N&e1%>u-%I*G^u|3A4CJzUaoHJ%+iQr z?SE(P8Nl34~6_}r!NIOYb!trzlCZy*ifJgBi4)6C58y= zjdf9>Qhr)+Tq9y8v2S9X8JDL?&Y<`&EH_wOqUZQ8h*5%XQ&-C?A=mC^U`QM%R*=t5 z;h1aEZ0Fcmt$Ot1;As>D78Gydqv9|TMg&OK?qU`M4zK}j7uXsO0B`@tsW&F6wssB2 zAJw0WSyY39ebEks)wq}5H?usAd?_dy$_mp!s*s_3)(&uiv}Iq1$_Sk_$jTXr1dp zX3|_TX|?}QD?)Irqc|(hL%59+QFT<8&#z>ow_Hpqm(r_tn>Pa}RXP4DRWmpvIV##d zo!2;tAW5g4{SAz*5!C*$k8CoitRk8qWEnnnI2S&3N~*zys3^f#1Ehma-W!B^ zNLt(PCBP7REMFpHHMG@{AF*>J91kx7#E?QV_tqwTFwPGTzviz=Mbq$}MoHC`Bp#fb|Gd*Om*Gd-TQ;ehTw9?Oi>0AJo`?XAs6Im!DzLYo zETU_^yoth6NrsZfn5wl>(6`p@Y*S)YbHV4XVae^`e>MTXH*3CLWBroCeK>GPu&3L$ zRo`?_iRHIL^;CX7aWivX`W{e0iyk^?&kNlY-@IHtx0^^=J1^ftdhA54a@kH~GKBmG zw25eJK3!RMc`d37!cvd2lVa^&aR&u05L~?P;t-Yi%6jWtoyI0vDp|Q=!>}k~=E%iD zV?k^VtCdv~Os|KZYeI#}$|b~D?Hk2fW(Qxn2@C2>{KSK_=_xp-*EL0*O}Zc9{Vc62 z&W+`@Lrzx31w zNIUL9xkABh?fznL{q%211JS|~=ZhrB|2p-iWLjNiD)c6o;WoC4PV$5&stjH~266l;>@ML)BBM+^ z2skJ1ZbA0L)kB3AoRLDK$rA98ISB~<9&Uu5cSAa#^*#`F-lyGoGxrnrJk17RwU`(s z;B{w~2;`UD6K>+EUl+I9{pc&0SS4cujfv{uduZj1V_0Jvf2tf$-0Ykza=)Zo>HnO2 zlN)Ec=prpcv(9xf8mDH4|IqTbEL~Yz^V6t&eY2ohGQr}@L2^y z@0&!*RRx1M4`Ql=RL$LhylTveDl*sPrzuX0Jy$2vdJy}z#8#vg9?h=Qi(n!Syw>UE z=Ll0;zEV>={v>*o7Mr;N-dpka{37XyY)=aLD}}DrWAu8!#1+43{ekJKwDTFdv^3K*2^lD7#W5n7z918Oc97cNMTxAzenMo# zQR%}`n{qK@L12M*DqXeGlMNo1cFl>>1xWj@aG^M+K=r0Pw8=Wz) zBFS_%^^Q0T$5lX*tf5MFZjE1|48&9nBW)*WBudHn)^^{0<66@Z&&^T^feELJa_}qK z{_m}{A)@u)t@O3FwjJ%+;#@DBSWt5hjEyqR1gfvpc6=SDnJAH#N_rtAe?OGL6B}do!%Z>I>dN{YUNwvWVn7z7h0sXjZFv=K14K-j2Ymh zVa72c$}mC@=8y;Iz6sR71rOM{zm@r7o}VtIg?@14bzoNYvPl6;TyQW`YVO&CZkmb3 zsX)pqKuLNt9)Z+ePq#v;@sn#0*xj_eCDS;!D=l zvm$qwG?Q0OU&hRlZ5>MbLrY7WH#0eYQ!09Pm7QMe@%uh7%T%wsdpVtSbZjv@lV%a0cKsX~yynG9xf8tUt<>E#lh1wD04-BEfy) z96mQoCNf!<(6~1476W+~n^D!En_Oon@;-3M0^LG61tOlgG2YEsdV#4$x>tv~v~-~r z9;{P98Y3-*>g(Jevo{q|My+X}3L!M68#0^j-bv~lXfG3Mwp@~P7G?eSxNbT{^Y>KE z5OH*U?s@o{76K;vlZoV3fm?PQ4YX=6h>n|@O4oR)guvugoUa^CqS!-M4WjCItAthD zx2uFR&AT~w7oZ9lcJOEO2r8=nx%Q-=lc=>P-pxDf7-JG72Nffm*5p?QG(i|s#cg;@ z!K)aJrmsz0QkMSIl#nk!JoD>8t|5{h!U(m)ma{srfU zSU{`?Ir@?XJiy$?5?v1T2(`jVV?v?U>@l3ur_)1-Xhnh77@oGse(@H7y)n({qxVl| zmRrEySPR$wBp0igdbyf?*$lg#$O61SaN$#)SFJ)K-;RwHR>0z`=V86ec|0f2WQt#O ziPod4=j|F@)8Gc?)Bj8>Nz3v2cuZj$d~*@TsFBA;xdy(Gm_I#TwiPs(PR6*k-h`aS z^-Bsp#R!G7PWBpFI|w{t@4}*mt!QBeSh=n;_ACl`;}dFjRZVO)Df55zk1)B*b@m7)bPOHOb&{r&WQbt=HXB7u-2)MIORT0pq$s^95uqS=6*L*NNyTGp|)?Av4 zBVcADRcwI`ol%xZxos*NkeR3JCfz|PFULVb!F^z@u4D;dkn0F7;p=(9FnlrL$c9X= z{+j-~<3*RW$G}xWy`bga1lbq+UW{y}l9HTtiv>3DcgS0hM0I5!TMHQSW@iK+vvgqm zpwr9tQ#Cl7svr@g+@H^XGk>YxnR<`y`WgNUy;OF={|DqV+2jIll7V;ulP=`;51;p! zP#a-Z2Lh6js99I`rK*qY`bw}qH&wcQ@8Dy1nk!l;j-`wKevxk>Roa#3hNUVC6;R`- zEL2+?KA&%KUue53K5uI{uipPzSb2Xa7jjhLs_Y?~rbkmRvxO6SR#W!jFn^iyx;_~z z)1YT1cwc2kxwNyR^_huXwRti?9+h*k@ClCWoQ#BAOlr$;avN?F%obQ-|V8AV+ZS@ZEA(@b5!@6Ik9zR=L)Y7t~^QqT@~4cy{o6-Z`IUw)@_GTtHTkPs^x5LNNR zGnAwXRYhbP(Ql33T%$A~Ov(z{x2*eB4}TIDyk0dr@El|h))^kY^PuB!50sgI_rees z-UeR)A2}$=7UanUZPV)-FRB8XC}qqyO@h`z_n%?r#@gRuW-mb`SsCzzw&)0iIWzX+ zStx0vo<5(RoU#eQ9b|e3SJ$*X+g=NJSN`o~V-|`43Xt&OiJ0rWgPRPQ_XvGTk^|T~ zJ7Aj`eXNH43{XwS05$WiFXF}e)q8%MV&>6z3z*d%GYK(?hrQ-2myywbeg$u2w2rXV zpJ?RY8np*U}?l@oVs3Cv+XCQ$41XR5h(pNik5`GeZp0@h#FSi$V zfz=36@AP2y_k_<`POO*MCNN>cLY6S?1raR4F zj6W13&&6X&0&F|UE-{YaWrKZ=`8I7O=&^-=UF)#LVKc@<7LNTkFwgH1c14ydH%<## zLFT{!QEzAgg?X`A8eKMuds-w0M&_c5(7ru>m0MZ83^HB86mlT>0y3F0`*GaH&1*H0 z{%c|dBx@5_Eb@5qbEHGL#x;b@zx<2j7vCz~AUGK#dDY-mogSOuTu;CVaMufP#oj$hJgcT)q^ZvCUCE7o`6-WzZ&O|q%C zR*Sg@TV)`wYWEW~^5mh^xSg8<4g}bM1Hn*~4iq3o-mm_@Q{>0Aue>LrJ;HnH*PRxr z&YRhjK+Ja5VK#472hWp9?n}nNs-%&EyKauc4d}9SwzschLm49&aV%L+v^% z&a3S)321A-Jz8UKL)fA}e3yotFv9t3NHQET##Mtr6j|}_Wik@h2`B|3w5_eDlVQ{! zzso?NIE?oaWMx-My(8PJ(kM%wgGpCT`{L%ws|d2RI1KIMfaahU#kA^)#=NG(sm3&V zR@#RPvhL-!e{PK2f{VBo=LVP-++~yQbQIlh^zsW(Gj=8u@!^7?8Y@S12JIW&SU@Yf{C3=dN@A$z8Q|{yTR? zV*Z=EHfnh(U0PW&_g5IPoeep#K7ih%79UYdE-NKJSP=ORBvpy2x8F6hsBDn@7qMVsGHy-n7g!{RR7 zUh@<4RbthT4M%azA7d4v$>o-~(|<(bOauEUtt{l5p@V(>TDD{t=WmoDY|zfBV67s% z4bN?8+Af)trVJXP3jZ z@}n^2hhT_q=e~U$UL(Bv5o!=qkf2%ajXR~(5(Q*SZL}^Em|=neghMpcK@+Oc6P$LQ zp4ea|NaS)>uZ^HKIvh-5Wn4kR2-6{@LTVY&8*ADzc{ge@YD+xVTbdBnhu+5jz*JgZ z@*645G^{Fl`Q%!tcvC@-Xcp3aM(6 z1j>g!zb=dCQE0$ElYh;v>0M7bnx&ic#ts?kZI7~Kiei8|>*fANLv87cW;zwOAHTF0 zS9KslKtvfbW^%L-OYG839ewHj+0-ya4YS7?hH;QX4q9LB?fJx%tX}+h##g<~C50l= znaQpbWmvjQAU`@W1Nh%o^{#w9;J|6{@Cbbm11cwIaqVyxRNLFShosGLW~^8je77c% zKW)zwya)2iG=M44xQTnS*gGN@oAcVU$xu!*NPRPizU|fv4%8EI_00H3*~6R5ab+TD zg-z70@fx#t_LMKR*+_YoNSe2x zLph!YD+#zDUQ27Lb(21ZoyAgDX1e;Wr2WMTdD*az=ulJFc)}^yNJGzml6JCS4%(j5 zK0Vvlk7KZg4s8uGM|rmhH00NSfIHUA;vZ857?W<5rIoQTqbrsY)LiR3sh_NSPRmm2 zzmxK?D(q#d`?JLw_{TS~{utN$ey%XU+%W{Eq47$7zVd9eSaN-D@tm3A*G);pF;42) zN>X$6GB{!h_0sXNb-?bo0hzaaPyyTf92MW*ZO{m|PwjqC{pOB9&DWeC|5Z3_rIFun zQJRUC^{JTF`T*!|M6szEl?#6D3uWvwthZVz9+K)L zj^G#Ct>0TX;d&L``=LPKYQJUzU4r+nhds-U%K=}MzPe*V{Nz@|{~h0Bhdh`WJgt6* z>L@U17j`L2${DCp)j66wV2dJ&-zg|cd#`N`S5NnkN2AO8-KhP1bwUt{pbY`Hkdzb* z(#n8|p)EqCv8l)t1S!v(&?=R!c0lE5XZohk9TGBRj=doRVK#1rF?2#Ltz3y6v<>&&{u2T@=f356ZiY%C`T0sEe}+X1G!50jC8zpmG#2V(>;Z#g z)oSomT%2o`8dD{6XvC-lL7iXI^hR?)>n*=^sNG(@L8bgrnZY5=;um&qnP%pjo0o0{ zowne+Y*Q2@H6!x?^T~3mwhOk$W6sZ-s9pQ0U(3$(i=ZMF4_F08=ots&l&N_&EYkJM z8utr*MH=hO@CFJuyWS2ktH`>j=e1teN}oM;O2{;B6rYr|=rB+*)xL+0eB8&e6+mM0 zBeZIk9mJKHT~oc&EQhcykxmns)r-on>MNh{j`d8Ia1(ug;6qym7=shL4`u^LT9l1i z%#9BOKj23n?ffu)2LLcTu~r9Jpd&Be`5NSipuXh$yWqez_`&{yvG` zY65WsHme2Kx?*)@>GdE2Sl_j&wWS3!tG|247h8juBc66`Pfp|sB|>(0A@p_ocg$=S zYGP9{G43ReF47PGz)dC@n=9R(I!4YSadNfHDq!62mLFQ15%t%zs-%9?U743?q+E^To7dGtq!A8Qy*VFpcKT|EwC#L~*dl!@g$kDX{IeI1_M{iOA@TI;fHd0fZW9#kh|b8Uox3Hj(b|xdxvMnqBa~;$~y28G$@TuYi%!@m|5?XMOkIA z-gx)ay?^%^GK&(|dyS4pbt)(kYv_T;5Wk&+lgenk!Zg%Hhr|o)SS6ynAc)KZ2iOGh zmb;=08YHmSM1ZIlt_+WgLed>leI^V*tu;fUk{Tn zlvu zxu%~dh8=fgQNnmta>)GaW4OIzp>9i=-Ko#wLpb?Q&;o68cb~*jg86~#vRQEFkxUd! zR|BoEOq9T^a5z-7V5^{LNa>|Bx%G&kz zXE$Euh!K-je+u{ZCU^sQxk?890fu}yR{ z!Kn6Dqig#ud8^u0=2m`H<9$}kz4)Zs6;i<=w9GNMl(>UohC{M%B~WFIv@h2)Ww*z+ zLeQAR4W;t63oTA;5WK7@q+EO~yffE5!;|e^Q$&u8e`x+~+ydh3mKiL5d{>&x|KBezsv>bpC95-@27* zvd;VVC$_XEf}fcY&PLBFfxlI?|HA!jbO-CMQ+kHd)#AYA39eT^A@9LUG)md4BczD* zY2>NJR)2SSn5RoB@mw{nC=VekL+=s`kwj@;$kS0CF+qH1h2XXDu#MOx-do?cEE0b0 zfTS2s8JO0&ovIf?Bw4wUlww@+^+;>rAFtjTm^9|vWm|X)+MrYa9PF0QmET-?wL0P+ z#T^`%96krgg@m2}N*CU=qmf%ZhnU=5pK}baf=hQw@?o?j^4k z5mHDGVrQTfqWotfrUd_P0eNgSn(94N9HwA2r!iSi=$up~D=khi>>~&y&9)pHo0#be z3IF*x0T+BT*BzMcx96e0otIr7 zN^z!s@iaUWWWnZX3@k%_a{&F-k>gxI==w^jIa#$gYg&zI{BHaG`C;vD8}2yZ&nGAG$6IY@SoN(rAEyap zy(~*C{L8DJNwu7f*WDtkjn|udxs9_CIZBLVCp{mrdM*9C%yMZjL*KTlf~ogt(bAnK z*~m|GWnL@O2|DW&^V(qz;=)mBZS0K9E~i}Os@Z#r!CAiK!7nCbuyC8(un~bmSbY^$ zUIz+3J(URv&uKw|e#`>e4%tvy=tVuA>u~2P)2Hx9Y`oHCXPp`AjfX~M@!bCu)|&P2 zD^cP000s%Uv)^8$2{z93AyF-&ERiWXBRGo)nP;H0R;jRJNoCi-Cz&XhT-2V=zK*CG z&XEYKJ~xxbD*;OS_R+boy}?4t)*S?;qm2W3za5aR@cbQ{s1rnm#|NGD-4xsP3|L#z zeQx>DjPEk8FZLv{#)H(ed)lH$f+XF_U>9l|;?I)}VEYdr-rr!xY*_DC?&O;`l-uVw z0N%19KxxWp?KNj*9=aw~o-(U7(IMvXqsr0!r@J(FKwjL;OpQJ7XaH%E-7p=k;6_}^ z6RGGS9hOwCgxt~$Yqb)d04U4$BsORVU*#{f)bH&{o!OoSKbrqi>!qVOZ(I`4;c$PZ z+*|AH$05Sy+ziiGtNLG)w1E6SguPRcAmPGgTefZ6w$WvE*;bcr+qP}nwr$&1m!|rh zf9~9fI}!IGU-B(qGBWqK*Iwm2!#%XxhfJN_k?1ba`?v9bR*mPDDiK(n_wpidjEa%= zlTb=Kt~-JzPf#ouX*Wb6cOOb$G1&y)8^DhwKBZ))!HW^jK!!8+NfGpDC(5OXTO-)@ z$#D3{8f@)pM_YYs)+(8066M^En$&?~L+^F)>{M1a++q79F^VBnFS^MOh!Wn}(pf zwM;q1vc0S}yy#<;s_5Lm#))(cXXo%%oaOUEe=xX{ml$<8#@{HD?sH;eVtJ*PUA z+bi7OT#MY^RwqXOWQHWiR7L#$l`z{xMe64=%sBQ@1t}X%GMCCxIuHS;i-$O0W{Yx(G_fB%MHGxSjya(rT>nCMv3r$RI+J=a0 z2>r`2f^A**wJ6A)0rHeB*8XNn!3*ZBX=5y4xQk`rr_ig8#BSiG)FyNP@@RcA_;CX) zx<+4RzC)K?XoWPTWNSkRFTEg0M|&YK=49{#6hdK0$LL*;YT+WE-%PPuzF~!97}men zag{F4u_#WqR0M)+swmS_;x~RS?U%ixL;FnH<%Qp7tHffKc%182L&PI^&AV|2vczKG z*b&!A7lXJLO|z`l|!yBoEW7!aCKh3Swssr``7u`VGI?{p+VmSQC{BmZHy?W}alx3jb^Z zmMMUOQOhQ<_+e=gG{zY8*Aa^UIlgbASmRmLn62@r4JCdOrbH9SskSxPxQ@TNfna7TQx_`J6RZn~8byhx|ESM!U8AMr4 z_T8?!&o0k{3q4olF=smqn+QS_)j=d(5&wRTgsoOkxIl#UDG4>n&Tk(u1u{_Rw}zm|`QoDs;o_ zejEZJMPXB~v8I_7*of9B_hmn|&>)G%t~d2-C1Ynm;-+pYpSk#B!Mt=;Zm%oyQEGN7%V zsc=-J*-M=Mg8UQ~m*FNu?hB?(A>Ff;ni8vf# zkX=`-DF^6Y*^yep3H@Kh$Vd9Y(^{|V^`vY#t8KMPioS@@`jO7&g)1sg?i(KQ>a|RB z!eQ_C4guI6g;p)A3DfA+R5+AD7;+N}?8V*m#fO(q@`ca9zS6=qfbTuqCry9(XjcqC zB}h1nVcSs-S+CwpdC9k#x4VR+Ou%j02PS9d5y^NjiEzP%mJ7OL z;y)$O!(Uu`&&m*eWwpf07$rT)n$+j^j{Yf0^g1w}6mUiussh8`>>QdZw zIX>@w$@K)O=pj^v3FSeeFv@;~AC6T;;{@NQ zl4oc-yn=;xGrYn^7y@gBwIw2^h5eGfNH4jtECa)qKPwa;?;Mreo(~j3lGz_a?R&1E zhA6fIrg_+l@2`j3s|>xLu>hsX^hje$N!MD;IA~akasv6A;;q&KetY;*q_cd%RnG>e7S)=QR~Q$L>6hp zx4;{?&%vK$k^%czo?w$K=HTc}p~%wZ1+`ngs9QZYu;p*cd!I}qaCc(M$@8;H2d|Qa zC&-BcExjzz0}dyY6u(r(MVyH$O_(>k3a?We{!J6(nZMq&eB7*c{4gVSNh%8PME)^z z^4&l`dK&WN-n4Wzu3v>s0i1TT+UabPvH{sj-!}KFlCG6$adCI+di>4#sWG}usf~v= zAA86P$~IF+yZcH0!*FML1Z2nW;iOQ>^iUQTHFfQ_J0K*swwrBqv2xKj#{Er-P1VXY z8q@hxp>_s@SBMC=e@eY<+)ww_IbVJca*_wXSBf~Y29_PUAIW_9Ycx13py6-`S%q*r zjglaDbij4PbuKLT);NkG9}8@k1Lzt92byV&&#arR#3YPXtJHm9g6xn!t8s;RsI5Is z3O*vbCwPl4TnjzW)UJ(VXo^DGiDSPqRgoIum;BnYI1G!w;xF)sPU@lyHXePvoU>{A zM)tA|ArrY(x(S)kK_uVAig$y9zbRjwKF%s)$2!IbRE3?hyKCvHE>V~BP2+uHT5%!tlMf3jF6^GDG) zqaGgElZ42a)Iw^eajKbQ1?Nq#w1#-H=sGU;m6G3++gI#&PY<(WRAY91HC;htv~3|X z#&?6MV5qOf%orPqo?Z_02L%`B0H0gvLRQY?w|Awl`A`$!6E=5WTx=(Ac%;|i8A z$`DWZ)*3)B_&nE8xIk+U%3DMlhn?|Yl!A`uA4M}7=v>Bh*76t;2{iB%>Vbgfj4ps!&v(KOpX zP`&KeZ_QU_Qko)p-W8Pc{sM-Ye$?FP$A#nt%`!*}czU``Tfiz>8jQPP77#dP1#db) z^SKQ;)A`f?k!%n zn1!q6eLHt}&07wy61#ROD#k=w+V(Z$EPFLls?)zJ(7AlI66Cgb$2_x+L7d9~gTAhv zqFV6f7tk+HFpZmHX`Cq4I@)04h7Yx=MPx+BC@``YeD%IW%}(39ap`^;IgUwxvSyS2 zqMd*D;P30n!RcN?CP|YC-OsRkINLh`Vx}J=ADM21OnLq78EpdVct6N7&7(W5f6?l$ zgtWFPR)YPwQPm-BCyQ0jZO>kH{JRi2Unxw#f4DA*Y$i#Bv*^rnYam=#SIR(W!}OvZ z+H$#!Mbl-^m%Yx4cc^$9k728LJKS5*=6s3?*3_7_+EMv?GBaDzhE5u^`CVe8t({s- zkAoSD+QY$>}>KBt;k|17P& z2;6x{5-dml6Rwi*E$vfzcyBXX+Etv#sRV7^oHNe~!8))5Y_ySfzHv|{+la%-5+HB& zL+kVbSIkAE;TCjtL89l}c+M5FZ3Jwv%%T)HCmxJ&SuInBxwZW0P{sra#A$T% z;d*Xz)EY~-Qd0ZAL~r5P&S1-FZ#m>~AA9>(XOsf4b`1UO57h}Xtmyo+nsuX|eI##C z446aF>5vA4ZEd15%WMo+gWWJcaxmH)OR*f$zp(=wAAwUdl=(KW*oz0>yaZWGySE2# z0Jn#}F)X|505q|jS-;b=_58dL1 z=Rl@7QdcgMzJM4V!`h7f`c451Qv19)-8m zs{BR2@9zAuM321tO#!&8N;%-L1cslz^Vep6!f$EwZes_P(RM7S71Cy?!6I!%TXSm2Q^`|8 zBNU%5C^wIVCTlcnRxD~{?zvDo>g0F1XAo66UPv=U9n7F5D351yA?lo1U6F0Upxf5S zo>8GVA;gHj%1S5K(%wi%noF9Xa&|H5yLHc?E+>wU&Y$iUTW?PB*yC6AA5I5(5r;UV z@MJwNiz@P~UTV0OW%qVi8yB~C@yK}J(SA2~MX*F&x(H*FtAyWPtl)Bfm{Q3A@EbR7 z-S6lOZg&F?B^?mDfvQQ9^D$_%}BT%bh(js(PMF zP?1~rFLs(!dP%d7RRMOgTfp@f$%i%R1xQe(8)K`$nyZq{*;dErdxX&t$Y*~Rk#o2{fm1fqED^2N+ zX1bGB($@!mg>;QyVw>(lbWKK5#JINKFAlzKkfjg)|1t{pnJY=GMRSp_u=gPN{i=^C zc7a?2)mlx)9$Up1WteNPf%ApS9!Nv)hU+3^Rj8%)aPkBtCRy$k*O(xN7Hci?$b%e^ z!;x)NS;>{kf|UiF`|I}&G7-$u-TFEDN{K-Kv*`;3( z+uf!S;nu@lk2f}ZxqRo1Z_ln0$UgKUB$-)iHZVV0i#Pd22}JW(V^OkJ$C$@BqWg*6 zMo*f03fA3)XjSYrWP>H6pI%{@^~eMlPAiXnB&0<1h0n1$j8OVUjB%myJG;`LHEcVH zu_N_Wc8hn6lt8|UjQGUp?8KPuodqX(iG@!wJ7vEMF;BmRiA;x$Cz1wxA_d^nM*8T zXz*4KQbci0+E(VfLZjIIvuk5Sm`~}|rmt(gnu7i1J`U^PeS%`dNsjXn@oEO_G$i~7 z%U1NIz&zGB-^xbpz&GQKiWP1{o{dG@vc~on3j9E$t6zTwf{v}mwv-yD(g_v{+1)Fk zS^OYP!zrUSM^M{6`@VXe{@mu*Am&GsM!uy@ib^pv0@bj;dIB!vecWc%8nC zLQHDb$JkA2VCV57+D`4!{YPu)|D!dawMYDo0aRUk3WpGC@IqZqNFp#sd80~#g~a9 zKupr~nLs0Zw2D%*ytN^ZI)Ud4RfIZ%$LPsC540uhqI0H(nu>rb8-&d~$F5xx#p~NE z3YBk!@m0Ffd6fl3<=S`5!aw62Mt%gtJwJ6%Y~-D6E_|NAm+u~Qlys{dQEeBa>fv?z zj+C5YP{)EkCxES|A>*N_@#f#HCoVyg#RE>aQ*4I_y-fa@ek3rK!0UsR;9}-!+r0T7 zQUuf|0G!SQJh%4DSDR?ZEkjiFXG!HSsWf?d%^;gt<`r^(YP{eLC>tcx-kE$0{fu(Z zynWUZSOJLLuWt!>P>Kai`!WC8*H}mZ1gr}VQ0$3Q>*QMVk5Y-;=`^j|b24JFB{I%7 zyAj8$axbj&(}m2S_tD#4q^f>qF+h>?*gDii+oms^!<6mCbAr{nEZ(HGL6DL3I43zD zdXfbZQJ|6uOFNGe+`$Tdq5a=Q((sVV4!|))%kb3H} zQ*15071(;NUn1e(AaP&B27|KBvqu6mR0Tk#4(?V8*~5ckRk`~-AdwJACf1U(gOr^9 z?pQ|&D6;Uu$mf9q1NyZ#zqNq}g(kBoY`cacB9Q2ScL_fJhuCln`bTX1Ua9`S5F0Sz zV(R0vsf;MmOsf51bUxxsO`9ZEwiwr|T=WqKpGueDw*v_Q)jqOdMn;XhqyBpM$ z`e{^}i@u`2py=b|6`RH>T>DyW4q!y`#K88H|;8fsnVK$qyM zBJ1s<4&hqkgGD^wK4y}*BhY9_Doo%&%Bnncd4gZKGmVA}Z<2TadG-2N4wG%K1!bh6%Hry@WQS~(|tcAYkXk{V4%QH-QA+_-X=S4$PBnK8s z)63k|LJ+%q{|l<5;=EXAU%@VEDbhMH{R36hd-x%&;iPffbB*oRO-R3dNs6O$xQ!JK zo?2l?8d$olGkWZIe}EOzSA|v1`7;0U&SF9D6zN3wNU7TY5G)a7iO`u7EB^slC>A-g zoa2kf>wWyEGcw%p2hZsVj;_9ROSXCrUOi@=DlOhlexfe==zO%6Ffx3Q+d zMRORLN3pKq)VZPiE}_~O?YsoP?&|I!%viN%+4NLGIR6QwrV&(VL-sj=UUTHvQnidS zCQZ0sKI}6y=bDJ4ZqE9MY=;(7bQ~B*lle|A36p7`92fcm#HR$N?hH3hw$0p{NowKZ z=!1A3V#ig~N0Oy-=U!R!HGG!p*U%b0VOsMJDCLM@MLvBAJfg9X) znEts()eecgkkBm7WKz=3vo46UqWrV3WoUh})S1J7H*w&~S>JBZd_cO(U> z1>jW}EC=Kn?d?1FzVxOaM4F?0;>qgPSlo+fsKNEZqH;%Qo7V|~*OWpiX{#VpLg)lXx84RHZQe=I_?W?fv0l_K^&`$v|!36-+T zL3Au%L*}6ysbruVbrKx>SIWoUbOptf#Sd(`duT$Ap#U4&Z4UZ$S@PJMWJz3z#R$hE z%ZCuO7cy&+4j+)hqu_|fqYc@K7`IRlMT*~imitO)`%1O}e1ygcKW18rXoJP(H@C_H zu?!So;Xan%I>)>kn00dbfQesx#ZZJ!YkAbccJp#QRSxTtrNJqEVSL?+am8*wOP0|b z9jp%a53{i~$TJc@S?nO%EHX4;E9TJ^L@i?@lRxJwgw(9HLlLtQTWzi;zUml1M>EeB z!_bOyi1$sVM)U73ER8fLj=td`@Z>o(S#6z$+o50vM{MY9?M>yu!k0O`DizySH39@T z^Rl@z_v1dHNYiziG%oi`7)M%O(6AWP&&u(14WTUuHQ$6|R?YxG>b zHT}ZT1raUAA&P_A?Nj+`#*wNP2x#*4x*f@h`Fb_<9d&*M)COT(#|;JDbjMsEY2f^P zJ0W(5O=6(&rPUg(;6Abz^r;FuNW{+yVpnjb-p_1YGGmnF8BOA5x0pCu0(f#D%4T>y zfR|Q7r7zL1RfVRX3Q3vZ7`FE4LrCUVi&~|`WWh0WMH^0ildNdI8?Tl&+cOS?7%hmZh&DJfTkj>4mD$f@i(L>k zV-ZMJd)uOt3Dflc&zk!F{r_20S5f_E)k6>m+n5ZYhW=;O8}4KNf2?}8^gSS@Ek9O0 zXRp~>pub@|tWX2I$NYZ)nbkO7oTNh7>&vf+bWD0H*{$Ld8r9QLZ^nn5Xuzy~O{5yj z1PFr1XX_>kaY-_N9}xen}HOZp@UUj>ajIisQ?)r56o3~hyG z%d_b0YvaibWH9`1|6J`ivh)nce=(=7uYZ`6K|2;^Cs=V}b@PG#o)!8Vk+}fkN#3-` z@o#<)H*W>1kkd_(#@zFD075qn2z3Ay&?phNG<2yoQVAad`&inMhtkof#G(pdd_;fp z&qE;6bg-yB381cHeb2zuyY3md84CPeKee1}*&`KxGo(?_?nTX#(MpCk1wHFIJjo#F z8cF&@KK0=5&-;(AY5;eCs#l9eFD-qjuDsVB;#f5Y5z{GW6Q$N=uzX)xC2n*?_;j(~ zHDw=7)rIAv{$7|vpxf>6BPV^Sd+CY_+}ge+W3*k0ix%+R6~0mAE&>7E-vS!C*`4lg zj9gwm-i$<1E(^!pC8~3$Cdwma=iv#4jw$7U=(isUa6&9SU8o&NnL3KfR2!9&&N`$K4UIiKa3P+p&l(!W3UH@b zrQNpQWX#DTZ=12e3fKGv^a*91IE77Um}|Nf7aA>#kNWeCWwS-~BLJ?nl1&|0mVbiU zsA4xODO9@%Qq+3N$Woe;K*6~ghpF27f!TfRwfIPsP5VGF$2F5fif4_slcBL1U`K)M zyN+-K1z5B2rQ**gt#qfWlh*t3HMHto%I!Tjt4iBFmvyw z0y?vibn+rgHxp?iKZ{8FI8qD@D1l+%rr2RzvI|m1H=et!b~c`Sh&H-~SHC{@wEOlv zwOdtJ!Fj%(URMrwYQVnNi=&y6g&U=e^iIN|A&TkmFb1kKj0`8&N`j0|+{euGV3%+l zUY-W00u#xTCf{VGLM_WRH9Fqy6FLA5Rx>R?OXF0bK^xJ(3cs91`Bx}k&&K2)(0JbN z4of<&$llh7-gl(pyW11F&bR&TD9!{&>pz*fc99OoSk+;;HBGgRl)l-nU^dHEM zQ_yP{Idt@wjO}b+@3hjt19;jc3%Ag}z3pF@xoGn*duY2=|B`0maL>VNElb@|mamlk zCMR2;OmSGHs>VnnEao=xV)pKEI+&P|cyJJ76&bT&(@TI{Dlb&z;N<2{B-QXB!8NEB z=1Woro8r>C@bf!KBCMM9yQsv$)|4gAT&;g^4@26MjR;Hhj<%TP>jUBgtT*_Xy!Ts{ zs}ZjeR$O&klcmE32c!!3U$w#*0k#L7)nYO?8D|i10r|Q+KV^AMHCeG6-!)h$uzKt^ zvj(MS4~@?OxsjAnI65KSdYGId!nZO;wT5J#kZWfqIG^GZE{&^Y-+py+2&%68+5gJB z;1AR$d0qWGhIJ0(wh@@ysa^z1tEx{Z#Oc`NP&6ymxXg?1>-z_kc zA*~_Tkzx}$c&6%aSSoVNI}q6K=kdYa&ce|or&m*FH8>owC-})0WdRP_-7S~ZyH>9ewxvEF8 zgb*~rtYv;?ll|cAKYK<$00~F)9KBm=m&UIJTND|eC9=P$CEuveeDeB+Kak8#xf(%+ z*!Ir}z-Y(M3BY03!stdj^%*#v%>y#qiC}g#TkOcUhk$!}-`>ar;BE^bzHu+9NwV3{ zo5+s|b9Ka}zn1ojOQUoPhp%-Wc~JHzy3Iw28H?zpHE^w~q*y)V!oTO3HUC+Zn+8^5 zFi*uO;6-GGGo{H9O<>VPU@NXd&c@pV`sG{cvA{65T0B~bs%Ia%Ybp%m(X|J~FwDx^ zdBQ;!Rc)-z{h=R_&n{$F}41LJbW)M{)byjwdEvnRmh7G#WN zq%+fwZ@bzKN|kH%=aB_tTx)iY-x{0ui*GS1n=1DTAD_O}uh?BqWyhQ827SMZeNwr>(Olo#X#>UHYf})nx{QG!qsbfS^06+G`9p*`=Z=t1 zU)&~#?@V^M-zhW~$kd!2c@uFMTO2vPl9*QJO8P)wHP6x%Y)K}nDp=gOnAG#jeCYmt zEE)mN!uT5VXg)WVUmyQd#B2}w-b~3!Gnjcbx@%O3D&WIk^`@%E&b3q^q7h6yai|q8 zd8Em#Gi!+PC%knH?{LUox4T%W&5VQUF;^$8vMF2&#BJ@{`=ue%)K^7ogBC_?|Detx zXERQ)JV8p9V(SC>6Wbz6CW|T#$1fEZ)qU)>J@H;hnwPaqd2vl&P-M@h9@D9t?ZYmF zszk-R=D=qhd+{AoboC|SfIIC!GzSj<$EkGQ zsDzdA2*sF4b4{N5sTvVs+Cj2AtzB!A399s_s47zg`)o>bBT&_at!BvUfHsQUZUjEF zgmuFvQ1xI&L&8LrdNAghrtM8Lb!4fA1vnOZrmHDX=m?6QDx`SS-jx8067I+dYBo2; z-{KcXshNx1pa`|GdTXGx+3;Q+T+Uyp41g4zW02W3QE173!a}b{^;cbq?dQLWGHP|aX)WKxx z_V0G9KU|x-3!8mhEMcQL!`Sr6v9qVFgqqEp;eck&q=dzU1)R{MA(&kOL;y5E80ywj zi}Vv-;?m?e{w-{HQF}f=#KU{u3@e~WF)#TtH_XkMkJgh*9T&qaEe77R;%u*xSy^zG z8M!tVb~dCTZKZ#}h7R*_?&J|}S_WK!DG|nLL;x+qBu<_&lTEEoeR1X z)IqRq2ZWD{fr@Y;_j*A)V@rO?9zhYeU;f)f3`%p1&@$1V5&!xCs%62^^{SH^KIa6N zZFy0?Zq^HT{XbS~-)N$q+e-WpGw3)4*K_ z=mOreMvoO=rTg7)Nc|7bwE{}tw30(o)vWkSBDNAxK-KtJ3u%E5!kZ_xuNe}J`9dTG z&VKR@$$g&A&|ck-guV*}rtcdq4!^n0|1ov9n4Lhr%RO4#Rt7GD{%Ce1)W|HiZULL9 zWyf%Ud}2fM+rjEZ9CXY5%r$sM4Wzm~s(>?xp^`iv(2+sgvv2q3pG)*So*J5BJnWIG zH*9GucDX=E?^#vP*hg4gMatw1Z(X^XeRV!iCpt$2aE^*}Hq8}a$ah0B-M@fAI$V?M z&QCEI*}t0O;*z2kd|ARkX%!d#Ak?mP^WOae=-S$!o^8?^P!pc_PNb zi=v!|%eb_uk0jty!}K+gS@Ofr_yhFUNC2@EiD1qArBEUj+OG&K*BtF$UA$kl++WXc zeS$Xf=#AA+Y{h-Us<*+kXFu+GGoF0489!ro!em@?{G?pLmvDE+(D zj;8lOAVE&7dJ5QRE4}T_KgG>1okBUl4nU%G!dQKOWD-vM4hViDNjo6()>OQ!oOCml zu*}s8b}iGoMTDtpEq;OiLBEs3q5f%X0<7o1h<;`ZhfW+Km!n!i6>+ZY2}>zVqy5z5 zlPwFYu*gD>ejYpdqInY~TH<@0di$W~4Ei8-?faOzQVyU)cY;Qk7Y-N~9-g2yndmx`Hg4aaM-fs(N-l+Yg52$d}k__jFcv&ailWbkC!p za{gG`56wJcFo4*0qNHL9!?r2Xe{a~6Ah#PW2qUgDaXNq9)pYrM6vVvh-EPAs)jZ^k@IcaERqEwU&@C`M0C* z#gG8PbliO!zxN$E4b&39Rj#rp`U?(eq|Furfm@|Axa(QO?G1|JVIhxIR?h-#n31?2Ya>RyDLHGQxBK~sHVe8GMwy(jZb}mG~kqZ=Tu6obtG?+V>5R?3ya3AnmY~RJFq!r zOX7$Or2P6dH1NL)4{b z>YBCI-pa@EPBX=4OCqR$!c~p@MG;#eaMZ+z>S~EeFZKbVFnGz{c%4g}^gDg^fXYyn z0nAK9bkQJ<&Lq7I#O5S^$WVw2>@SAc!tA&3Gaan9+Ofd+n(qxH>}N9Gm1mhv;^QD5 zW;LyF(FkgQPSM}rtQp2r>3_?7FSS5Yx8Wf}Uwi#~2Ta_Wg2VW)I__MLOYj&0gjcWm zXvs)k*;D1R#m8IX$EyjB&c?9u(11X!C53S7hfGX~R+B3pF0e@t$+NLr?h=%#oy9ZJ zu4yb$&Za*|4v2$9K@@N8mrm?iUKT`})TmrMB`Kmoe4$x3DiJ2M1LZBQK})Pr<=T!K z3L-7Mco41@6z@FS1cO`!2x8U`j(ZW9$Dl=qv-d|c+Nk;C&n7_X6<*y>NIL2JiSJJJ zR_1cZk^P`uxqw;NjN`3~P$l#u$Y)6$hV?6oaL4z%LnKW+tsAOZqf12=eq|O6uvQMX z{2}a?xwwU;8PKfk*Mw^v!}1iCx(zn0#Hf@Bo6qGbYy375A_*Mo{hiAS;Zwnh{fF<$ z%fvw%Twv3;cE_qk&ni}#osy#2_@j!I(u;W_il%*o)(>m4y2aXli|osqvB{dfVOt(a z$3jEfLS>5r+;q7u$%dLZmtJ#QZzA5_^cfj@)-ijsyc87+lJCeW>qg~3DGjF034w0S z6o9Qt#{qlwuLn|)jNqyR@E0lJa%fsFQx#x<{)KkkaMbbTdVA?dx`T%qa}1ZmA}4g8 zwlT2lfW$BfRKY3_?x2T&qgMw^Ta|&(Zl<5TW4Ig&b$uDUh~bu^IYiQ0b)C&J-H9^= zGl$p)khSq_Gp-s-V-^fVqv89LzDSqf~t=xvl2)P-f_?t0>HIqzzmt#V{2OkMyyAO9 zkW!GdQS{BYZ_vybb(d&N$=mea`!LaS7{IIs!gdg~(u|UNyx5QX9!NAxji0JwZGsv> zot%`{$oWM|qf3(1B*~iTB7K05@b2(S2{NGCQ{?M_@@-FH0;3k_`dyB1zvi9&Yf}zd zW*k-R$DraXgRok1cNtYLXT?pL-cz<(r)mje_scWT|F)$uC&KJ^9$wYzWH9U}n}v$J z!?8`DJNup{YMSy?j@2)`qo$cg7FFd-ZLHxO;52*48sS@)`keigC}--N;6v^A09y9g zn;2QUv|on;=`)l9gjf#jY&$ao%@Z?Ctq+GC7bPzOpM?ypPPlFG*jHmTlJhP)?&w1~ z_KGUrGgJ=59ho8}IfC7NXOmItFjMzlV^wrzni>c9Sjn!hojeBCS@%p$IGjsooHJx! z98T_rTC-yYeF}ndG>q?KXLo3A9UrjLu&w@XL$9uB^o%EKUe-Nl8+wHN$tl36Q1T1R zbH1GKImCm1$=;LFWTnED-+(gNVn4z{4gC;l{`6!&XzRzwmVu!IOoLgKC*kYE8@`Za zlkFUmU-iq49EmE?5bRXnJibRxoi=cJ`A^iY?NCNaUs0k5Q(lU@QG{vsDC$}&Rutw3o3~fq0M42-AU~O2NLE zKCG==77c^kt2R23fqBf^b~}aWFiuSvGg+i<0F|F+D@>5iz+}q;M~bUp{jLkeGK77q zW@lT*%(^@v+dixUXRy%{WuT})OL})G-!c^mX>TT-jz)89?V{IBlU7T_`X(K zWB<}ekWcgjt=k3Ob|qAap`b4L|wqYIwynP2t72c2kpK?|Gd2T>VMAzDUbF1;EvGf{rvN=h`Y zb359VbPAfRI^mNHknInIL~X#jFG*f9m3gAL{A(z`JnqatQnGC0ZopuFeH}D6*nw6C z@J-p}HF#o<5Vc95E9G4L)s8r#ke=irrLyqy#2nAcv>fq0ehr&-S$p?__~2zmAkK*!bsF?l-kKuzW3+GW(`cJ7>@Iw5$ZeGVu)$m($~_ z5c}Q3!Q*Ov^xZ*WTx&-*^Wouq9A2!b3?|?G_gxy-R^7TiO((Y}HS!rxgPmZo3G1EZ zWdIrTPuQ@k&ls?C)iEbV4Kv`&LrtD$s?c@IvxJgkT*h!SD>T}`Wiw0fx9edv`{GCa zeEzrB+y0XR-WPti_hVl5Y^O}oozg*-vF#_=uR9pzNDSI-OY-*DDH5EvF_W(=Wmuw>aFKjGk%;@Gh0Kl%N>2g^=nAwi9Tr6dms>C zTbgBVWHcu7OOXv_sg81fsnjmHwT;7LHcKviAGgGuKTflxGF!l*%HJprp1=W8+EP2JH|^=9CNkUcj(0>SjCj zTh}TSob4JkCnL>*V6D!$t~Ht#DLNO7V?<#|=hZ=h6t90_H&_r!sK?-yQtkt%zw)Ww?zOQm<{9I zkC5|0M$o_!Z9p$1H}{6nVCbdTIb`!zg!pKP4e}-lF}fA!s7bmRE)?-MVJ3%&|7la- zxwc}7LsF}b#`_Og)WmkYRn*tnqI|Ws&Pe*05urD;YP0E6KpFcBwz4{r_0Ds__b8=S zO31iGzRXT;Xz9$+uLz_Gp)drM)T;t-eo@>z|9HDgIvzZdx-$Lhd^6q%p*nOKtE4|x zB!OoA%T7mgLt=ngW@>-skKiX+oI=Xd1zGmHF(PGqi<{8YGCHs`nN`5OhVNVLBZ6@vt zat|}G4!FdaLwRgq_!nDvDykhC4sj2ed-J}Ey~O)qx{e-Bsd*aR#o_V&9Z%GNz28Bd zAOY2E)<@b!`<$657>NIPIm(Oru1hc&tSUhC^8b$PDwE@cE5A(Hp70n*z|Smi6Qe$5 z7((ivq0dt79YsABNoZr%0FTo}hnR3`o=CAkS$@_|Ga`cNV&$$p9(z@-YsM7{x($3oz?V2gq&F<6B zXAkQNMw=55f6rz`E1_{o3jI;OQrm^n7W%ZImsLtp=f~A%8WDX9sa66zS<~rpgb4ea z@W*ceiMi;vnIOmeiXAu@yG+d$_~bg(I8}kp7_F$9m>gzW*pHmpgNn3(7R2wnw}=9R zkCBraT^zM98}uT`4F)`0MUud8YuixD{H#e>vJU4hvmh7J3Y#Sj$CmxRp`(G}bNIY;juPx~F^5@N9hL?a|?kg-rh6>N9lr z;^BMFiE{OHF8Qg!_u9>jQ-Wn$&DQn`Dla8T3BNg~F0>DeEhX92r?<7aw+=64*wQ*~ zk0r<*rYsWV&>lFRsoC(61M{3lTu{4GkX`kyc4H}?_FXy*cozG@-m_ormK^Uk((qGE zVFG7g6?N4L7Fqun0J%U$zdglT7X_1*tdrU-YDHV;+U#f8%gl3wboK}9r4seI6L>gD zav4V>4+Y|}N16SqMl4h=k61%21@M0^%w$r(T3MxW+gduRd|votbN)TiyZ2@0;WJE{ zr+s~>?=_O==?%Z`cx8x^zm@ron5F6BN3Q^^oqGR))*DW(nN%O^-v5#NhMC5EH#qYG z_g;$KpC9DvEWFq!w3rFyMX5zh-UFl`%(i4#X$b2Q3ud?+!Ddo84WdOZ=}2^8G@HLW z`6Ubh%~hldu7F`)b5g_x=~TI;!M+sI{nc*;LuvVK+f+uRyCKS6=*(mPApbpjdGy@M ze|J&L^}mlQMWDQ+J4+SVsd~32yI|8+8)O+Y>!!*GO{*uftb?Xq6|{o8kyrnDP>}}w z=T>%GjQ>^2|9bfP#gT>oyD07O|5+HNm3(Kx2i^AQxbMz#KRhPs7o}3 zTw3pc!#J>Q^xvz4gQET){$bz$F3KZ_*7D^(>57eO2%y^l2DTVw)->d-a85otdO-uJ zv1420+-2!@QKr4lrmYzcr#zXuD7ZyIe*?wYQM{Z-L|*E{|Mla*w!!~{SI-OZ{{{SI z;r}j*Isd=Q5V1N&ACCujG*Efl4INu&%JOhzr7d4bDZ&2%K)Ja;4Wqa-Sl7n?zd9(y z|2};6{FTlBu#@t{xpY&!0to;Dhn>4~H}gVgwDbc^4C4UE`~-}CGT3|K+|2yMNtO#D z7o7xlBydn`#bj|%d!Hh$r2fhyI|Ai*Krzrkh#48tg6r8L_HO;pK;;oA`%m8t9Mo4k zKxku2oD$j+IDsE}gT2Ao^@nS6K7Qhyl2eNF{`A_J_;Io~nEL6E{+~^MZ!r2J9@77d zA7;}b{-5|WS%t%_qY|AQ9q-Pn(o ziF0vw4&wrei7v8x1ApSVLslJr+8eBraWwIUdpO3`nR9i1a`yIoFrVyY#ML;SB*W~( zgPnir{mVIZH%9aOKRSGQSg`*;q>wQ7{qLYWanAV-;9|ODZ|}b^{>Oj!=Tj$%$KUnP z#3(r)4rBKYpV(|US^}AY22kh_g5lLlSE%&E-1WnuneWiNe z4{xJ*?y~4>|1(MN1MjCAJ;w0G|&l3nAEG!2Fr@J~z*=O!MJ`p(B< z&mWKTtK58!0JZ@vM04j#Sb^<*e=n>x_H#3Yacai{*q>l+K$&9~@QmlkXmlLwedKMi z=0}GtD+jbmzlMIzHZ4PSqsp7%WG*U&eaTu@uKNa81sD-o!PuKeD=%@xFxk~|q%aJ= zCP_5*>E+3zV*7%9uw=T4dVp+gjA_~1`=|4>hc-m`(%?U5+!zM`m5gJb6obw`_x{<( z!v0_UC-*P<3wl$`k|IhW2>}l z!%Bf{g2l#;>nJYs*_p@6(a>d}9w&pU(W?E7$}?5JrtEFQe=^Uks=hNjV7-+~>&$;T zXiSThfB#!!<$^V!Q7gR$LX!N;%8O$lzo1%@V%$$`*6YK6xify8L~^9 zYXu}J{fdo&e&wypoipbF0NE>m8JZI+IUMAgUEIEl(#zOO;3QkRK+v9G@WVnE)7hBZ z>RVx7OaG}mHCdACbEI>gRo2=V+LW4od+_Z+Tf-{JdBt;);ZueGk&|oC-oFq{SKOX+ z`h?Q7`)KI^l>~i91Q4>YwD3A31gU@yF5_s9@M1|Xmxbu0d&Y;WHHpRvrcNDu3wT!u9fHUO?hYoH470wIVa+OJBwx)v zEV`U&HZ0j-md_bCL)3G|SdmDsN(@DbYz>eiW)&v70RO>r&SqBjPBM#@!K4i>*0}SO zS8~F?;4#WZs1q7h-v27U2=!SV5_ZT{Vy_DO$J-Eim8dr7v@1J2tUIIF`;Vo!^rZJs zZe1_uwQn)oM!maG=@6Vv?;wAI2$Njq5*gh(Giu|HVLNDT*9hW2eJfA!ljkj*XXdXZ zBa`6KNcv^?WDJyJ*k3OC%$V?-s`V6n7Y9JLMt7I7zw!fb>YXQJH()}i3aG8q-&jqH zHHo9e?+1U&AI`~}H?^lz>`l04Tt!j(0}7q)0q4yt9+6gO%kU(57lqi_CSCjr$U?mW z2elZt*c|>wo&X*NO3(%=qvn;p0jdf^b#eN>VVi1|7rK}NZ>q%WydRyRq|0x415d=a zq^frq^ph9Dt`Vn{x#{9V!Rm`@)K#rQ(_<})GtdK^4H~HO=APqMhkxF9cf)F2gX|`K z;#*bTStOwb&c&^R255=LxJtfPz*6HT?ZbvpC-8SB23jV9YZh#RR0~#4IPX2uPOLV$ zbX2ug141^^q)fYr`|Z(=b%4BV=N3)doV8#AtMY z<@gO@QBgJkf5Ur6KHh}`pqP7dbiN-%QB<5ToLoX3H#i%bV$aZ zWa0#O0XQ2-k^&>WVtP+Dk$94{K#Qy%^s!=Mw+c!=4>YMd-8OC~Q`oa|J6JHgl>CyS zREH=8-a%2+I;a_leWk5fXB2fSOG8{PlbQJfuvKBwSm756h)MLn2IvZlSAhrAj2ZbY*hAProjDnm zlw(Ol5~5A<6)~qfC27N*D^Vs^0l?uR@9N*)dIayOThS11m0*MSVKtwy zVuBMx9tn}`a^w%3OD1ziO8!Sb{b@PM#PAW`QiKbvTbKm<6IPV)QDV5BnarHlstm%~ z0n&!~@^`+DB&>7MSCgy@cV4bnk|+49Sfrn*B5)b3L|I>}SWM9eRKsV$sQXgmKxeg> z#_oi}>U0)I%jrxZ8ra})ZWBOY0ecs9kZQlI!XQuuP#RTJycdUF8VO6_-g-p-!gNAp zKVetAFj>ZUN0|78L|v%U7nShVmWE-7piE@wiv>HE13s|euQN%X4!D(;ajg|KAnk@y zzAsd)*DA-;7u;b@phXxLR<(Wi4AT;Ki5A@gnH1=hjU|3Sc)+7hbje>|KoOjaB<&ak zVLdrKnLv>w8aU^8l8!Gls>}=t`k7bFq>eH+m;lQ_p*d_L&8#u#0;y-smF`BYN~3U~ z!5bxp8cw#6G(5cCDH?ngIwZj>^7FU{brWe3khV%Tzj#q5#s8nkxc?Pzw2qHP3NJ#F zxma-T6O=@e+$oM$K5`XGN? zB9K6beamKmx745GPWvg$8bBza&D@h@^k)s2V3=`ZVef|0-Oa?g>&S0S1-6|@Xtybn z-MI{Q2SV4aN?9MjShYP@X}j#RqMruJyL?u#KE4*WknL6C5+VY}2%pE8I7p?(RSLWz z4`#(o-oQpGf*L$b5_lm+?oB>8%-Wfz7lpR~18L~`Mf;UHz!wLMS(O^XjMi_MdO06w zk@sYLgh-M}Q}n0oRxTC*t8o|?jv6+4!~(iQH(o+1nVjEw>ui9`@G;vGi7>ODhGYtz z4##TFrovxO*yKO(seRy6`=)B0VFMD)zTJ^{L=~C{b~=AwDz`Fj*u<;#c5ge|mfx?+ z?aF6`&28E9m+YR2k3i&#`!#mMr$i>i_=C4%LmtF{B`Ny~;_or0A+ag76i{ z8@N)0EcmSIlXfXW4S`xjS}lV5C^H&3Cy5h8Fl{%XS21%}Ua4>A^u!VKbT~lfrme)s zxVhN@R#`5vvsjGxG{GMD98erYMCRx|zW{iF8LeGhTAtd575ZX6b$eUNic*PyI5X|$ z$rrM@RjfD#@)$IaR!dc!3Zyiy=#;2!BHhtcn2GILw_=&VpF^d)Ve`~vzK`5J{r2^% zgBg1SUdnBC|6>W@1&&9yc;*ja;emha;nVm=&=$)6Xv`N7Aj+c0-q2n6efsH1Ir+~( z=@g%(^9x*-d(VyWvT#9b%NeNIQB=9n6f?l}j(decd;2}~RD};0)DZrr7zM|@`F)@D z)uX%e1Cwy)t_3ImaB|t`P9(AKZUKv`G$R)0s0tk~~YXDY-Mfk=NXrM1U}nix31< zZe*mg0R`;0--7(Uneb&|h7J1T=FA;y>XFMKwOiY1{ z&sxgFwm>&KQYtpa%~?meDC1QdJZK#qVomxVQ(a<1tV!n!&?%Oa2DNXOrj9WezDbcH zKYw{3AObt?B5lMT5pHs>n@v@XG8+F*)L$*xLCoC=n(`~GDI;grawyuk6 zj-}P9PD&#N)#kdXnn50+j;cCiL<5~_B%priXddRJKK{#qh0^F?jJEvm&tDYdzr1>V zXyd=`q+npTe4S?h%YGEOY?5&M1E=Ck==xWsd^9O({;^k%lU*J8ajUcr36jK{;=yYD96Lgm$mU9 z4|x3dSFev=9K8ZM;qd4sRCiu>J&~&NC&&L)=Z^@r&s{9n&-#&-w)me1&kOlK4qv}| zZt1_B6qcPCL&Ce$V+T*(0^L7Tsfhoc!2fqThB^Fy`QrJJh5x%KHRu1~LlU}+WEQ0# zK5Tp$%+LSz>zA+X`R}6WoIh$*(L@B)knI&a6yrF}YOmM-% z_R6ZrXb+MZlbTfwk*m(8p)RklIVUCC1vb0BJUL}sBU1Zd;abDw*g2HHl+}LlRitju zXStzcE9X{R>$EmL1R*9+rdGI7Rkv!*xfe%Jh9@@d`cyP@av zUHtmmrk1Bi78I+sl^wAFCyJIxNsjN2h+#sF(kySe^RAW4yqirpATy@KwEMkSQ z>QhbE3U%47Z@T14im~F7~c8_!=I9u@QdzC3zq>Azi+&FMd%;^E?7$>7ts4E?F}AhWI###Qi+i7k%8O6stb zp%zQVfAptbNT`;QQ*!@c1=k)P4FsfNz?$D`3N2Nc)r^3Jf?=}&(b@QD@tb;6KtR70 zggspNqe8E7-~)DIQHJwSjl-lOsMC=JR|}bHX~nE?=>=Pr3O%!RUIFRo-SGo0kqIk7 z0+9E78N-S_Bs2rHUU;mw_ASdJv>DhB1Q;7JEJ6zpqLg)_1aqM}Wvtuz8Bkx#dm$dlH40 zbTR|+0GRDRw8fAs0Fvg5%4>4+WATI;mV_?6`az(-bVeb+;G zr2F1Ce?upegg?vTu-DW<<;cvqU->lg7O{t?KPgcLth3dj8!Tq7N?RrXTjy?mn_%0+ zlgo?uFRm*-;xN)KHg_?QIbsxILQWE6j7BR1$psP1=12}#3HPGphraLJ%>c*?^Gz9> zU_wE-(Vh{&;zzn0SKjSM=a%JjEWWrHgFseOWeVV|qS(|G{j*<5yWxhg9uPpINRtdJ z`DH{Wf7&eOS>Y$yX0TO9nCYE+dlV8q9ZScushJ7AJ#bxw7|GP*s~W-77@B~k-aWqEhkxy=6;%p z7%+Iq)t#RbqNZq(iwQX!RaUzQq2}BRPRZ)Gs>YVj7SAu~<3SmpZk1Rf-;f?Wit5mMq#U_x0C8M9Jzw6ytEWai!F$t3=@tF2;jQ>8r z{zZ*%{|o~f0b>R`i=MLs{$J@J{7vl`Xn+VyE|CiPu@L-?XRy1l~Iw@qL70I*~NQk+qHeSM&$ z7R5uQVO{9TwE#dQkZfL(sx=UE^ribOqb?)tnF#lC88A+xJCl9H!eVM)oaxmr>?F=q zZbV_fP_#RXM9}WOUroc6i}pPh1@Jqv$RwCsXA#-F`>uMy8JWxcf%WpRnc2Rq@+dOojI8Zt8fF9bJ z7dA)796w{&P}hN)``Y7uq(}8pL>rRP{$Lc!Ai{!;$zk?oFv$_D57DglNQGoPa5W1YBOmF2rOi z%-l43ZuJFjfah+dxI&Q_|^3ZhK2m`^wRl_$E0#D zCU`|^g#^_F?-j$3a=Yb0yNd4=u{OEfIX2Bvtrn|V ztm-(DGSokcKFxJINZV{SeaWzER#&)VjTT08H)2)Sxyx5VZANj!1Z_-#vpHcQxH}4# zsVQv9NpsAER9JQ@V7ZYj!3pn1WI8R;A0>5bR|~*mxlPM$Zf!XhFY@xGahnXZ-C(mV zvzaHE2?fIiQeXEJV8v6B^u#URXnmgQB6N}*$k=y2Lf0ReVqH9M20yG^&qCU&d0R-U z77J-xnydwBFWuOkTX0)dEV#Ac)`D9LZflxogIj~@+EvHy_sein?VO|*(;IMk{&t8q zX|Ij|po}Aw3ZI@hBN~gz31IJe@+HMqgBvmA({YgjnU)TO=dnB~7(+SuKVKMO{d9A4 zc`Y5;av|7B!p`yz#F#)pnMV7?!d&I0m0^!JZ>~`;6tb|dZFlN6isx>6?2PWyHh`&p z<;L!1i$$L(CFmuM_Jk@UJ4T)tO8X#NhBmUa(nF7>)gYcDV{)=Y25g1Nd_>{`u~JIl zz!ta9vd?Gf;(H8&_o$Ngo7IF0x~QfR#cw#id{eofYKyP?*q}$d=n7eG7D@ouD!>O4V+Zv8xst+xk zp+T$MiDR=7*{#Q;d{qF11hLL63MPrLjFQ41mZeU@Lw%ruWj#gd&))sTnYMdE z&9*VO?8aTZeV)nKkCA zKhvfKp!z_f{@9zs)oVBStCTrhQDX&GNqMk_Od*?Q>&a@%ZI&&pQD3fiV=>L0fmir% z*Jk1wsL#RKTZ-8jKd6jG11gdHMvdfvfh|yDK~AY2-gp;KU(uXZ%1?f~*3sg~oVa(e zf0IulFCj+wP`Ewjq<#;85D@OlkE2kAWNj*m=Vg&NFk$xqh8ehX_m3!~e4H?19~RZ0 zVwf)$i32yhKV8DX48{4v`SqdZV3y8@FzSy*RbU0YvYq~$mhubK&yfn?s5AeosQ8BOmB8ZbW}`q#YUe?f>}0iA;;l?u1A@DItB1l1ADd%re~Wf>{1iH zO&SfzZOnt$n2(2FT{_kwup8V`iSOaYN`ya_vG-}EuSmf9KfgCqCSV%}36Ji>%kDNd zD=uUJph9@tK{bBEG3mhAU$_Ca)3RnaA);7}@Cz;JNSV#0{TE#bj36H2g3Ube>S)4k zu<-`O;JTRl5fXtN6M)9}*@W=h4bivO5{!twb+6B3CGxr=@Cb>gz({ebX=kkO{i2|!x!@Z6HFG7vIRRAegFVkRz!ny zINHAN@6m;prwBqdB(Tn8_dhWqNNu=IgrlJQZICoM%|ax>V6KH)MqYH z24_s(L}>VXVnqJCRQ)4+>`%i?Wxt3f&a=ex9M_%n;g7!0Yqkxm&xIP@1Z+}Rj7AG# z;-J|?`$dV(XlFulH~8Y#nZvmgsxF-X3N^}yu#cuwlnPAAb%U|yGYr?UOhexQ$n?=#o7EW>*{JIhr zYHuu&cfZDg(ejvF_94=1>B_{#vNn}>-@2a~A9Ze9et^pAiMw3PO~@591o~s7sD~_S z%fj{JrkAFRUF#AbsznpZn+Z6y#T$l*gSKaTJ->Aqnzmy~ieOXw1!I=qP!n28eBIe( zObjdgcn8{PP*bkDjb_jV0{AjE1pw3WB57pSau5JWyX&_`%B~-yXc~AtuE}NKrs#$8 zn0#qAbd-S|>5z*sGMzQ|?yz=L){aW6SUW0fN0lpItsRx)+!drk+W@`%2;M{t9Bz%u z;^S;FypkLPXhz&#{lp||#EP=sh}IiXyI5~T&0@U~tBb|IwdHYnBbvqrDPUi-R+_>0 z6dTkGVRcKYXjfh6qUPLdkqBM1M@3pJWS)4rd931YB%ONF2|o?ok-m7sPv5vBGx-E- z^4^VocN9R22bV<@jBwd>`*SWTsW8KJ#Ucbx*`;37NJ_At_bSEFT#vTP+BXOvZ2k`` zeW;qZl|HD&Qa>$Cwjq5mQTpn}CEFR9knxsoCCNbcae`>*Org6p)a7DMk%E@GfG)Ah zz&Ya=6EB+xI>pEjiZ!)k{ccO#G_5oCNBWALi|@_UI#~Y^#HwG5UcxJY^A{`PRlB5` zcA>{v_*RKy$*6{6$tX)k<%%VvNJ!H$8O5bOrZ#3=(8^Pu;W3d(nQy9KmW#R6IjXf2?%fVQT|wn96r77oT#Jh8V4 z2eL)GvkFh%wPcW+B|We{+G1@CtBb{3wdHZy7#dYibuE~3SBDbPGp||d zpyXqQjK>xb-pF%fFJ9m3%Cc4!#j;kGwc6TpEQ;dgt7WYW!gdLMxbdDVj0XnR7Ckz{l2fc}5y6_xoiyX^&c7n(XNb zYsiq($W6RgM}0t!5wZ=ZC!`uf>@xu+VDF>9wy^MeD(wmD)v9J3mjR*n_%VjJQWoL#l13m1`T5kb4W=qvN8_iwWrIAq-yW?hr zo!huysJfAH5pS}Ulnz}-;auNtT3u!Pt+}{$y!j%%-_LCAv*@$ z6he1qEwmn`8%~A*4x#Iq0wf9kGg&Scfv@DTK}ZU~RfK<#0bR+ih?>ihAIvnoU@<82 zU1EkwH^EC8N6RTDkOBH5^;fyzMcat@ehUZU#keo)DN26G+6${krAt9frm{tyGJ(lpAcjNqWdU3{m znu#OGf}nIBV;%c9p7yVNQf|m&X|Nd=orbu%%mYR&*Y&z0*$dlzjheV;T`5+^(R|^? z>D+5)ZA`(`Y1Xy4U@Ys5GA12d`vK*`r(Z6UnU+jW`%t}b9N*KzH0-WTx8YpvTx9#l5Sul~W(}&D zzReo+b!H7BTw(;~-wW&`>A9y#j{1{K3&T@2!6$bdhe<2<{HjGatF^1B&;bf*GVvBs z~%NqPh z0WNn-H?`PoiR@*#qb=2NUpA$!TB+3vO4Y>n>nAsv`CnipDZDf9W&ZPSLtp~ueHE=? zBd;siVBJ@(imiy93`s>73rE&<=H7VbhJG^F^D&eA6jKl3M6e`uA0`fYuPKI=1q`|k zBdmqnemO*u#-wl@xPo=4P6LE`2~*>oTWRMr!qgeL<4>3w7M|4{r4p?<1+oJBP3OCh z(xYRi$Jf;^0cOP*3u5Q($#F$lci(W6)NHyFLEyISAW1C~FHKEotmUF)XQ>`asB7NI z${Kl{Hi=nlva5OD(@)IeMmn346d1NV#Y~R*-R5r`IS1|0s=Rm2c9QWr%zd>^+ky}X zc*uyL9pxov43VNNGc?ne^se9}UA7tUvKY`~n_;<0%S~3z+j5g?vD{=!ldV}HAyuSV zmEm;F%KDZohD%&44yxvLWbskUr18z0Yx>5WOcQ5xPl9K>nk?R)>VvwkTH&*BtFEDs zYI!P1YRtWK7U>+oQ&2+Ho{<7EEu+6*n(jThHIK^CnnwB@3zKW z{N=8axnOWp;V7iY{4c-V@DO(rs_G5&+s*Koi?h?6@ef(Zg}m9^PJ-nLKX|8N?1KGf zA(De?b%}N$OfU$S8-b)}5Qfy{$3&e7&BsTY!4>Q3BRVmDRdHuLrfP0ljHf>p}3WsTmZz$B!=yEJZ;mfnx8A$Ec3#wj1V%ribu4TvseC?L` zu!0d2GOydSUxMXq)pltYmPfjwU9B!%6VB5$Po33es=;_pnj z(y7$DS@vSBfvo7eYTj1#t(M13K7CoD?=4va8O=g3QMD-R+#5wiqa$B0Gb>u7Fl3S0 zuZwFiDLqksM@(DZ1r9z~4TN5`~^Xk#ZOo z2?@W9U~v-@q8J0Py0dbg#Ck;UDbs-zB3$gWjSHEI(%3{GQ z_vY;6a%WbeYw0aZh|zIHWS#UW}B zWt~*4hOJ=n+F_2scguZRiEu&$Q`3V6^0ZaD5&t z%IXSTtrb{b3tH*t1aiM$hLd&`x#cODpB`TLX+v>p+VD*dyvw zc8N?=2zxBj)sU3jW2xhld$?qCCyt_A$eH$Q=EfB}g*{?y8)d+jj)Y&(=)N_MjrK(x zyCSu`(S#b_DU1PN*)z|u-6{K5=F{0B?IORy{f0wMZzV`KB5v zvMQ&V<-ih?WcNQ=j%OH}P+X6FRM7NT{)4yfqNlS0y@XO&`X*5n`;MGOx7*lpb`MIf z*Z!!q(IddBJ2#$O049TH4)DDD)OkOYhj3Ca2oeqh;d1aH+>}CO^J8T9=sZj*g()Ihbi$x*X(vWlV=r9!aTH=2N4jii2@u68f)E(Vc?)&? zKF?}7;L`IjIn)4IZ!zY$J3_0uFk22@wh<-;MEf=p_qSdEPp)s6b<`EzqoWToCXrE> z!A<^1Q$eGM!)E*b^Lwe!fd4HbKh(9c?J@mAZ$Kz#^&Gq6wj^FS#e9hL_M$M$O4J)7 z1KwlPNS3#^{^!W7S_z>e69^;U2uOPAOnhP%f1Qj1o8#G6BT z<&i5xb_T{7Mlw44r=0KP4>@Dc9CtE_F<-IZcT|=}Xc)zUS@u`&vkQ3G8;qm*@wd+p z4tj&9UEOZ}*xQ%Jb-AnO9Y28g9NO@GlHjcpCMhHbTp-U!DV@_>9rhdzHodoc4p2{w zH&Nni(3h6>x*1tlhdPzoc5(MPN!a~ssH8<3-+7~16n)Z8IPx2-Zeyx&@V<#@vg0di!jYXu zZYC4-@b@GNb)BVillluZlu{IUVaqsVxT4#qqkX`fpzWH>yXJH0TL_rQEk175lUFh>YjtUE1#4sjyS|CyBQzG;g7xbf z=80yOue-8)U2`FZHm~bnr^jkM)TOnn@fjEyJet^OYWp3Tq?&m0)(83Kj2NpeH^9=lf|CebyE&{*_w2VXce= zjI5<2ns%Aoc;TOOb)C^svl$IegJ?OyDD+b4=R6~?-KWs;V2ob}Y_kTTmmVJ-y?FXf zSGRM$yvzUv{g8V*t7@Xq100-S1o@(&x;w?3q-o(0I%Fbnv?%uf@FqWd_ZygP&pf3o zB2Y-2RP?CVa$2$`+ImZ|CfXe=!J24)EhgGKlKtnf&vq36*zNi-S@V9LWO*HU4iI7K z@)RK6)6B}P@J{u@n_PrWk^_4CJg+sGV&wzES@#`_8!T?HxS?a*(2-e)#%Qfo$aMJH zBTYap0LxvZU%9+la%^P%MIB+>B)A8+t{>FeA?Se1x%>Hwb=R~*O8%S|P4+r^`EqC@ zF3?O3@M_br8n>rq*PD;O-^9>1_KZe?%gQaQ5Jz7lgMCdca$I0EA_`){Ob+u z<0fs!f0|v@Uk>B0+ST}49qB;9KA(4El}7coHju27K{j+y^NBs6V<(Ms3QQDf;l%*> z7$mt5%aOpag#+S;=KSMd^5=d|b&gOiK8=Fqy!f>GnKsrL%)Qh_DsO;pAmVL6=kua% z0+C71$&criE5&zGKM0%bAbab-|IcUtYk)1k`>uy})c3t_{x)D&x^md-s-v#GN|j@~ z3wPuPJ_3r$Ax`Tnm<`mt$jVF0W`ha)&W)oL{v&%C*tKW+ez;mPI2`xn<0 zAL|hS8ksW-eddQkULoG+6eBSN%$P}pAH?gcI1B9aRG!?{SINZZlF1->w0tBnE+*Gw zTtg|GbrW277ykQt>t`L}7B?g_CzdFV8!ID@qs@|>job{jYK$Qo^5F7oJ>6C~O+F{bl@1uuBW&g+>#U2@!EkmVOYE}~)T$=nJ zOSAl`pAJ5Ko1iuRIGWFwp`YFlDV(%FTEYn>!-==@f??uM`))j*0Wuz=C(;m(pihem z>8=mvlP3~V)q=_zu>Z*qD?z=^LH_Ksz+f)#oLe)<^AfRBuFkJ-lpFzgrra(syXVa( zi8~IPN9GYe_lRLUG#BWTvj9u$4sd(!r-|y#SKaw3Me-!ZdVw&shRwYQq2}BRPTizN zXtU+B#q&%0cu>ZtD=u#xoY)@ju`b_lk{#Vg`Er;O88 z0WGSsgcvLHa~l9Y2)vaGt;pgPYL(lrM>6Yk|K$-+#UAipMiiP>?hMAdk%^qgvnWbD z)d>)OgiS^Tl5@^ciLiX~o3t&YnyK15A%m)C@b&luImc@rAi0@}&F$c6VVTm|A#g`t zAUbU9PhV09T*-KL{ux15(sUDR=2~pdKqm(A#rHuI&SFG!GMrpQnbV>A3mMm+ygSno z&1r}IT~8=nKX2hh%fFDDERTwqa9p|1b32eTBVu(p30G9snn3Ik@+O#r!d2|32@mJX zuB5~iB{Jc(2JRO#z31lWa*JFF2wsn|%Eee*DRy|<(n@)fIZ_rC1qnMdd;v3m!Bq*& z)ms1HSb2}S7C97q6&K;Y^Dav9Kj)u)#Q%6D&LS^?U+I^v?Jb-Bws)3|LXRtC>@me0 zP$;lOhMdRI}d-T8{fgOd`R+u zVqX}85V*+WOqMZ&{)qEaZ|aY=N1S`{6b*3!MC;xU!+7dzM^e;{qiz}m5FVpuO>wl{ zisen#N4WD1f=(SLgTH!|Q$u4=6%_O?!XCr# zrAIA^0V1+{^sToUv7>$cv@3q@XZcF{u$z5;Y13%l2wpPEdjoP7!xglff@%RG?aQt6 zC^r`0I!fLwErzb)g$Z7dkx@KuKpf-0&#!+`6LdX83x!Xpb(-R3AMpR425yp|dbQr{ z5AS55Gjhg54k-1RGd0f_C)i1)Dru_m3EcWYit>!}YiH!*v?HGEgA<~4JKlPDix!)f z7G0t06v>^IF(H~Xc;WT{Nv)UN-2JS;TBpvNf9{7m)pW>m7XVTKho^1XdcqqR8MVqr zJpW&ZMyNzbz`-z63ZfO~vWNDRWxx+-Q+u)7eG0K)M&er08 zaHeu23j5V(j-7mfzQ46h?w`I*&^!3ux<*Oay!)KsL>;|2}Nx}(b{4Y zidGkkRcp(aolsOT?7Hfrj63dH4`jruu5*{K@}6s)HqKilFzycitr_{HG8?0=kP6FA z1uQp`B{<>Tu=tYe`d+WI04$cz>?py_m6d?a7SA zLRt%HEu^)Owx-EikoFP-h+A-5RV=u*;MRg$3vO$gXoK7B#4p-fvWp?wq`f-Q$$60( zATc9`4YOXH6pW#o^IzBu6-wDKN>$@QwhXvu zYc*ePY6?vpax?2Fg9W+gGQ;qZ$306YcoRaQo~(3Aw8=5@#U{t-F6>hQN3~T~jbj_? zYRwX$^~fDnx^at=x36XO%}kwn8y2vzOG{_t7`SXE!bq5@XI#Zl0Wq5rsJ}}*6~{^A zHdjx$Dip8SPqw>PSJx-oPzpu?5(N}0nIHCAAi6hv#t6tZdVGK;%d@5W-9 zI|Fz0->%KXGfQXdH{s;-iYb4$*xOdznSj4W#%; zG8^XS9!2PtrHIlo443K%1;5JZlETaY1t2lk*)x=dB&mYht@5C)Sb>@qsBLXI7PIm4 zWeL;-J}F52H-U3SNN!=Bg>@FzSyHtcI z=#G_ugi-}9dg@Ty2Io8W&b+`&z28`*-Yah$t-RRWZ%h-;T}$;2EElm9UbhL&KnaYP z#SIScDTO3X34RPG(cQrLYqZoFYwU(kNvp#Ik}T#wI^e@#F%eK=wZBo%7vY(Ep9o~0 zAR-#OL7)fLE^bjn>r5gsrsw1G_L-JvbT2@zI813!z_m^<4xEXm3Z=Lqnv`*yHki$8 z&ZZ@ZJa^$sf$;F;^5O%#Eo>1?C!D{XeYHZL=Y#D3P0xq23?IB(LYrNHPq7>|`c;I&~X3At%7FwggbB0p^1RLD5ry{H}*pbnLXus@Q zL)D*C`B~Ind99I*p2e4V<*Q(e#^X50|nF>SiQa|}NV z9Xn48Jj$HEDLaOmHKS!PJ^#zT8M4F%m*SN)Wf&F3fN)>}0e5O>*oFB1=2{qIA*Cex za#HB5r7umzzZsLQ&0ZT)^^|;S3q6}Ce|1x`_1SD&YZ|j1?WPlH?1qV-`YR7^)6ZTz zI%~a9S&zB9g(-M>=pG_Q=Kz@f1=Nq1ftO^V8;CG9;0qqgG*H)CmGMh0l{h48sHJDF z`o}W%KCSdkR@R?!rnE0QksC~a z9?NTfp#?(9h5)qxq6;A=5vXv%W*&HTa^lC7MAuLZ{>UVw9ZN-xg;plg(A`Kv*II&+ z1a#f&^H?RHT}eF+ciu?a$v_ReBpX1iQ>7aVwJg-qnyZCc7HSo$cdK+kFryQtn(xtZ zi9$4?QgvN}DAH6;q+jp^;s*erWkobNhokNL{vM;mWjUKQZg3ytTIHAAbDr_-_y$wY z@&xU9P!6Q?v(yV+q*3=JwYr}}CiTgAmBE>)Wg>hadSXQWyL65~7Sx}HnN!0enmErA z&vRUN(uY6#KCjs}tiCMB=q6y3!eTU92qzHDCfYAb@%1vg{+G*9;EySyRL3{}JU^p? zua4k)Fp`xrclh^Y5&0oYi;H67TaBdlA`&EC+;CEzs*5p)-)Aypz>(QVbirsV_?%8o z&g5L$pCRJ1+b9U4I~*`u0}4UhmFoxYDDd_jH%KrEw&!5D#7x>eg$XW4BxI&(4yTQs zLzEzEv}V(`ZJU)=rERm)ww+mN+qP}nwr$(!y!ZB`R}bDBM9g9s@y9x6f8RzdA_qOm zF6fs>hzxRAh7Z0YkAs3q)RqLBKN(H$PoCB!FT;86x<7x6rf@8xdyy?>=5u`Q_92n> zpIV&p`tz0yYmr=3JWH0|En@TuYR)GJ7{6u&*m~?}mmWGT;fuh!YNXa8dxjEGU23R2 zTv3FXyPD~^HlsL;qNMdhSj6?Iylgd&gUQFM$PvXv)Il+!5ZWjE6B194GCg=;+FSVUvn^)vqj7%&O~r5}5Kl zB_<%;7~)pF%ADMA#;sb|(AcT}M_9OnXfW1CP83L;C}JFuDznmoQaQ2w(OyhYTPiXq zPw^p+nzkCJR9aGEN9-D$f=uR?J6W65cbd7VUN^R>1EM+ixZS%te?O-3xCWVBfN#dN zaX@^hUg?VD8CA2m;uA52Klw8N_@EflirB(9@kK^-?35HT*oLB(>|aSc+=g;z0CJdmuo5A!M68y1OuIB`cD0h2rDAZWfqWR#@JNxSsM?UsXK=24pr`7nydQ z2muPpFH2fLfC-$Q9k>iTtGoU*eM+UwpGz|LXe?Pcm&tsF|Nw*s^tZ9;=VbKWpr z{;aWKqoXM&k@egmX1mfI&uH`cVccI>*TuVUcS?-?GkM!O49FaB zEErHC&Qgk7$tJxglp>*vDWjAY21JlPuLnP#M4PE&y&nFTf|cH?Ydo_u#Ht^HoEXOD zZKxTvL_m<3euyvZbGRk(&UYjD^l6xw`G89{B=imY82HscOD}czfjQ#D`=*Bw4H}-g zxdDnBZS+#`rN5I-N#0Uj-}m+hgSo-HnZgdtLTMXEL`X}-Z#Sub9nXZ=Nqh11ID3>PZ$*(@A^tQu$cZ+_cn@NYE_ctH~u!ryOwc6b=dPYXFKxfc#(G8DpBV z+}EVA2%ZZxzjWHqRzAHkW!Cl|&1}|IP~Do_ojG3;)8TAktC)kpu_iMa_Z~H^AHdOx z!)C$vS5HUT&WfLcCBaPlV4_h*f!iF4$@K-o-eV2La%U-T4{SCAL3k<+5VObC)r6XV z*5mKK??gh*V+HLGmNSMllCp3d16+Ay+f!Qc(qD}@)`lDU7guEWO zG6=g0WKroyz-(tL^wq4lm1#TM2RE>ECkomK`dqs6b$2LmY*2qaSfyAw4r26`37C(q5x>k1Gy1D+EfJPH^C67O3mu65lY!G|fa4(bPh3da$ib|hXI3pt7T#qEAxa`E<~i_!&(1@=EDJ%PFj)dyLrq5gFd z2HSq8=K3~_?>tCwX56a`rvYitdw-bK6OUn_r*97=1*k9o%;fv5Foc(T(z=O6`^H@% z;8_7x(T9&ROoLXQLJt}~NQG8j(Fqc+OrzpvsTSzAP`xXg-O4K*iXJzJ)Y*_5|3b-i zJoT|R-xCo%=Ss(B6Ecp~8p7C89QVL~mwTeKVfWFXjFjWFe- z%Zu58z_TN%X~gihrD-_;%05Jya$z|c#-`LSbD;}TSU#wmLZ`|*-K!I%6x0Xabmz$ zoDZx`=L>Zj{Rby=aRGD;R-svpWNmks;v!{zn+jl1A6SH zsU4IVm-4bP=Y|%i=@;-Tu#!qDLvnr8fEB4J3XjO0!^nUt^m25%Z3`W3q>}mi?y8Wj z`t;9xTV%6mxX0WaBx%qzlp-{yT~KVYMf5Z>6(K1+tA$X~ANr9Agca+gLKV3cs+uB7 zEsM3hNvGHnioz8A3N`}=kp-rXF`WsMg>}*R3$huAOoaHlVeR=Z>BBj#+A#0GB0ubu~ zpT0ZN1}t`yFxyuHrdJkOFd*gJf_DQ^4XR2~nc?t)Sci$qi{bh4ABu40c9$anTPost zNyA|iwVvt{Ncm?jfiz-=50I)!*SRWGf$fCGaaAdKLIs|3wOGa~CEf3wb)?M7*p7*$SiK9s68a zU@W+b(fj9_&7hLmr|E#F2U{40seM$kBR+U+*q+xf%Pg?eIRlvxjdE+6BGhpiFB)$du(s6Sxu^CnvZJI?m`M zE6zZ+XbCz*;+5HYy{(*S)E}lkN06|KPuVgQ}|PFPRLnGM3|J@ zQ$sp9^RSz36}D&3ddiQgk9cVjNYqN`JW}fU-hH@SWG@He7VyofX6ty`6mbu}Njbb7 z+L5|~+J5N^cbKn3PH#?!N#{DOsBFSZm!-$NY^;rh%d-4}`8j4}h2g!9fTiHf8#vI( zZ8Fm_AoC%4ome)vg8<{Nr>6TMK{Yqh61;nhy3xMLuEhROH?b-sS*4%p*&}<$zgl^0 zG{N1gHi&jFDGU!u*Zp#Dd6E&;8jk*(X|jHi2GE8d#Jb;KdVL1{C4BtAN+4576aWl31< zr)s-V@Bm#G(7KUfx|3FZx<7Qra>8uR)}qJ3?%oCl+%PoS%{(wM0bP_<3I4vCpd=-N zHcA%ORuB{+IPCz9;knyz6&2{Fb&yk}ame|(^iuz7y_%;2UzTAcGCgjc>Oggk5AWfV zy(Lm(NlcpIa5U?1W>K!LrF;vpLH!CQZ)a2hLbV)0-GrOY_!sw-$wxagwx*YUdI(@O z9D%g*)WsdW*nb7t#?ror*qu7jDQ}zgTAn7=)i{_R_-hwX+4YRM<#_@|RC?JH9aR3e zcXr1%q@m|V+$d0xO>JVMUmyukhrH&js*e>4q$B*`LJg0ONMAH`ZCPhP2BR!p-6V9q z){@qZ3(W!9d6MKx%{grZH{6@ag+>H&Qyn_IBz#UP2O|lXL`Qc^A-OA9s#M0!x#C=^w`hiB~XycyFE5j(UBys;o zhFM`MT(23~wV#d9%y&OAHs!_)MNzk!kYk(y; z@S?oorzPX=eV;T^0z?I{0;-zZXglJJf@3%b_2w;&BEg*}1e%OGyU}h!prR&(5Q(@@ zWE<4OxrCuLN|RXFxT+2UZA~PkTa^gso~>#JMUK><(CiHe`?+t;9XBhJ}Om+E%^Zel`d6!N_o$ z7)T*JJ#2&CzFf;!F`&tc>@dO2pm_?ITYH^&tunzc*H0AHu?O2+^`Y{gab`fbjImy9 zOaw6(-iw5@iFFRC4zu&&A8Zk0lJwzCc4c=9h_>F8>;5#w`X}6_u6*;Yr7l6*=)|MJ zJEK(>j9}Dipj3F#Bpc#k&MH}1ft)m9!%O>>4m>`GT%VDXqbiC6RPB|f((2^#BxxYU z2^r1N@QtGmlU?}1u9}#fv#AP0&w&94gBOUI)J6a5wA3k=LMlZaKd{zLb6^5@5c`X$ zbStMjC3IyrqHs54&QkEgU?>0D3fy#gZ6hw6uK)PmX(Y1omMm!35CflGu=j|tmU}nY z63lYLa>qx4ddQ4dgK?g4?)GrbTy-4UV&)TODFF5g`;3uaB{l$Hwn{DW=WcV~F^%Z{ zP=%6y&hjiUd=)WfZw1LrE}4URwGWMj)y+RXQ{DSJquJ#s0N!(|I68HQL1O@U7;bYA z%jK^GroZ#cGp*b{|byV)8v9~NeHtgrsRd(E0gb}X9pAxbU+0njJ< zNw#X7fpqSzGjwI>r&>CB>>$P@X9yv4vW z{YU0*ipL&7v&lr(Pni0a&R1C2^@Zy*%j$;?{##!i-Pwg*nO1~K*=llt8ftk z#P-oJjbV~d*Yi6m#bXfOe@TEGFQ=&$-+iN31TGx!7XvAKfoX3+lz$(PWr$-e5pk>0 zUCC0f5Rk?2u^;6coYJ&x{`G@9Rw9CuP8g{9LiY|ykvKM@dww}Ix`$#U3h*wR*Yxm?n{(OdC z=W@ebkh=FhxfV?bO+y5RlNwFd?z!fiVIrGEsTv_+t9HRkq-l}q7=iAu zL7!qDHs(o0KgEjzcT3X>rnsg$h7d}k`fL@wa%+mxUBgT4Ou{)Wa}^vc5(2qD8k9D& zei&cE5`1ll%m2&xN@EpLU@jxk5W`B=c%@hcPLf+44yjmM9u8G{@f5WP!kg0vA>>UG zW}THbpZ$yYPH6G}i})Iwcd5jVHG%OdNUU$pNn?Sj?_p?^O{T#%J(!jo)nvS{2`!Q; zvpLJ}Otv))5T$mhj0|vlB{m|XG(QjpZ>KC~@xekyikuy!I)KV0iZ5iHIV~H@ayRMo z))DusaYI_~Qpjz~P;Uj%CO9!SS{GT+_qL_-nzJchmR@vsl8>X) zWkxB}&LW|$it;uB&9b!gTCl=;u&BWe=z6Bz;qiV&=N>F`cDbksu9f97U?eXl7}04a zLy+GP;Ewa?yuBz7by_>QL=p<758yI?tfGIMBI9_dLcveioaR2s!GkVNuhkBh7Ru6o!2Pp_<7g%d1dES=#x+I^ilwORIX6YBZGwW|@u2dS5*4KQ^iRqJZ(yMfGXw?*SCi^;NvRuM`eV`|alZJ0Z*u0MrGm-_6?zQ;qoBJwD%*35;> z(PZOKp0=%}-GyXB$`qP>-wKs`GslB!IQkrVu+@oWna7V)_4&E^K{%LpvXTI{go_~HvejSk2TU)I<@00lEBvk&Ig_<%?axk_-t&H`NPu4g57qO>cW(_Ed zsyLtMyq$pkG^`Tk8uJP(1y>4Xw)edPo<=P`n4m&{UMC<&w|+lF5caoXhtuj!It`Ib zNsF^*Y`&KW*oo!(ItV<7ViXl^SE0y8U9sWZ_Hqp2c6RsFzLc4)z=+pdX~lC1G}`p) zmu_Pp$E!(rXuc%i*s}-heli^gMHXDfkto6Di%D#3a@=HJAoEB&rYPip*FZFNkX#|@ zUbaOF8I~?tP>^x0=P`uAF_1X_4Nh>8>dJ2O}~Tn+6CeG%Mo*H#%CKQCcnhUtJho!M1*p8K@XlznhcT87E(tZ7-)m z-6c8DX9{zU%(07sRPHJ{nABFhd&?e*Nm-SIRfLc5#Pi7iaQ9}b>gq1%HEIv$v*p6o zXq`(eZV{Ghbn>F9u<@cL?3E4!g?nX7AcE?pfBM7t*Z;xoosO+~Ycyyutj+2o2?V0{ z+p%tambq4cy5t76YF7S2iS}MTZS-)wUZ&wyBp0A?gBlF!BY%AE9aLg%NXu@HuV02$ z-|!Y=@X)oeYeIkTI!?Qxm&p9?H+<-pi95t;0#fzwW8Q4H@SOkhZpPztl#UzlU`n1E zE-swUzp2+bi2|}3J?1Q#VHdK$beC{0WChfb&idq}?$bxBA~N^b^D> zC%xp|sMUb^jel(12#2SdeikUC5>6@q*T^L|Zn5s^s6zNeZ}q{C$JifSGFb@zv3UzJ zb<|RL7HUu{D-*E1U1o}z7`YkG_CT5tfM7TPz6}JK-jHbqM9tI6| z?o(80GTb1O8qMNeq5`c&3^LG!EF@eYp)`08 z58S`2W(AzW@c8C_0Mge}g!_VzmIv~!nQTuvun*t)7XXi0baWofi8(iqpB_N91N~TN zYP41s^l&YhG%M96(Yx&U_Jh7m-FVfDG|rylZ`tevm(Td^s&@dJ_ljoTct<^?vmdzZ zRNo|v>sCL=RpfbtK=_0!&=O%v4-U2n#mFtp8nX0fM)nHYc9e5?RZ`$hn4Rod}|uAShK3ksH{0C6}J{ z=%2KS&s#LhU+Ser(M%69T1w%55#+GQt1Qbcyz114n4!g7L5priUGou#GmHFwnT#>Y8o6}fz6yz0v2*NHbH zk|x^Kd5zpoU-E4xcy$I1!66S1#7;d9&B&w1a5bF?VT@<-l#Im}a7p!nE6)HI%lf9Q zlHYG2M6v=k)U(g<6Ci?_ZJ@u#BP~Ht&au^4ZO*Yv{tK6M`Dupv>a&DL3~wbV@FRYo zoPdo@ge_6Ps2d_`53;5tWKnbzlLMG}ABwNi-A_7XYDF8_!BbD)aQCKgY0$w8{V9P)R@$5HKxzIDmBaL_OgxFn__xQ4ee3sm)L@<$RlMWeMmr@5zdtsHu)+F#;?TKUT{o6Orm- zj(uX%pK8v zq7*=KuW?Y3m(+cF+;$$DZoxCm<<@IuXj&~s=fDE{Z$Z53qck>VL0h96Y_l`d6)TE0 z*po&lzdPcBdCsEQr7??cWBzX1StASD-Vi*^=QnN@&I)R*3ESgHIflF^$sOs)-G%Co zU9i2hVIrg6)k~EzqF>QX`W|y=S}BQ5C!C!Ij3^CCJV4ZzZY*LMw4+d(O$|8Imb-&c znq`tYD|xggv2u%J8d%}Itrn`dKmOU{E$bZ%cT&3PZ6FB@QPVbC_q_;H1UEz#>mAt} zq!N{V^RE%Vdr6FqbM=##)GvI_*T*whXyEYX^WuMUI6?*gKa9^;rj)%MzoS)fck7CRS#R{Ai7T5Q{b2t-Eef4V6(AWBMim@tceF;YG2Q*@7;KX#78N{de1G5S~^ zoJ_+Qpt<+3QsF`J>vFWcjFjN1uTZ6qb->LMFKCi?w3&h#{iT17$K%9#;cPju2 z78&nGNe$~*#_9S?E_Xn@yFkw=LkEs0T8;Wu!Sxo=rYHJ)DY-rdDaUp75+X3#eC&GV ze@UGzj-F7R9~)LRu;s^^}lcka{09K_ah7qaXrYU-K&*n z5saJDq~QRp19I^hL|(t4GT=So|2X|8q-|ViBl{Vf<60!qnF`9zug~U4U|$GTH(F&b z{XMI108EVXolp5Cx=Zq$Kom& zyarWl(xDJr*ePDeoPD+lyU1(cCoh9VyT6T4*A!P-6zr9FjvGagi+)Bf&(ER**+7oR zuewu)oJnB!UtVUE-9J8%t~F#(UXSnsxD;9sohJf){5JTA`cZIbTu=03(4Cq+zEJW5 zyh5JMOhE{j4`J@8J(Y!2pTvxU`QWZ2+fKpbZLuzuGqH{Fn0=Jh0zZuPOEh@5T9uu z1E{v81@E$)XjzWf;du==L+wI~1Ye~JpWx3?kHe$>?lmw1n#XrYkG2UTSq7hTN7rZ& z*|u95T;Bf26b)Y5LNN6=q`wvl?EIMU>ev^?jA7+@hF*+a11&sQh1*2=;== zmAz>MAH+dhGvR?-XzrRPR=Ff%`|K^6|?~P9=rQZf1o0QBBTN|quGTG9E zXN!wo59mg0D!L49DLX*+MiLaVL}l#pqYBw$?JlaAAAi$74JTCljiS7?!1kZ%56iQd z35U0mdj1586p#5z9>KSTExu#vm%j3E%^fMg*9L$BD2Mz><-;g!4#YT2XnT{JrYpcs zfS(#Eh z5rxnL7Bq3oHG!2){gt{$g{n#*MV-ywdDC)&yUFECu4p-|7<9uDLKj4Rkk4y}_3m#xVHyfM#& zo9l#Tv86u~(a(G#CwokdndrRKC9R8@6|oP5S~jK(scSLro`SZt0vimpkQ~diI?VK) z9iGXEkBc6?Wbtwl?4YfsEnYHHer6|Qxn`4r7@W+NKACvsa;;7jKlI|%)8v5QetJ7Q8(zHa=;R|m zV##uh+#suOjV<+3y@ncur*{fcFNKbax>*`-+Of;eX~3Gu=t}Afh3b z`ANGuOsBI@P1pupvLJX_(fVX0WWYBOI`6hv{$Vx7$D?1PvcDm; zC`mrQln*9<2)>ueq*WiWM!4r^#z(YM4G5@tRMEjQp26|Y^EJIlG}bRzw*6Nr^-EMW zF1Bs;&=DN~5QWwvgA|J(6eQC_t*l$<+_p=Yf%i8#OC*@=$20=`7dQzxd#;9{v6rb% znl34p!t6qsG9i07+8&0*D$wzoXaTXFZd-vDioG$1#V)0+3hjrM76$`Dbi^3_yJz?g24Uiqu#F&CL;*u8%(1siENO(n< zaw{_(!Y8xv8j)MX-T!vAu%M+WvHazUGUVO{#p^=&yZ)(r|!Tg+)gGII7OKX z&QAUDFJFGH11I>4x-m&H((K&y2a`CW|0p*3JTdHbv*2IMY_F&O0(vjt?*ojL=M#Ti z@17@vpZU~wcz%97cH`o8a=Loky4t?rc>8!id>o$t$dsF!FDd{wPllrIZ5({K?}4hD zbk?8g8+s7wLk}f}nME@=_80|(Vl#hjt_tQnoSwBoXL}6d8L&4Qj(Dl@y%KhWFxwys zJ!9NNduMo*hHK@tJpOo07h)7P zs}**f7B+1)NvcIkEgZ_tCX*akn|YDeal2MbUGlHt{Q0!=A$h-#kjoUa>X3By1QaCT z6nY4TlyPLbmmJ!DWS|&$hwc4;kLls5_+SVhUqGaeW}wp@m{@jNvG-my_vynj= zG9wMR&yj*?zihRfAYIv##|c^@cI^5KJ6gQZ3zKOwjB@GPBNj#f1}nJ5-CfWVcbFtX zqiNrFmKqz6#J{bya?p~C(M2kFaiyuw{DKMU5#l9pjmVb=T@1r{j@Bt$OYE!X6uj8| ziY~j>w-}Sh`j`*Ndc@=uq~A_-jY zjQC8%2axp6irDNivfQr3Rw@v*+{YvDFrb}w?)4aW5=S~qrUaF7z>Lb?hVQhyVA-mQjAhonWx9`yhXHA-ti7X zK)<@X+z)3*d)^gRNm=QLMtaIc-xJ=#cT zZE^&>pa)z(80At9JIw*j!M@tmcHEDCkzhOrWi}P<|YP@&~4Pq$Vyo z+W@y^MG+S{V4v1>{`a^Nov#`>(`~ zbol$U##4s>JqWmLV9C@ZZ)}|ww^xyp4tg!EIW?)Gzheo zJD3)>FzPFsTpT=skDB)3dv~|@9_Z5t0LHiQ+eO~~fe*)Bd>*(P_H~oM<7pH56PYjf z!XLm<=tx}|xNOW;ukLTfn(uMAN@(HSjrSeg$qrUY@?)cF2CAOqFl;}CQPYF6qCCr% zy0BBhIt8b*NYz;zgZ+0;c8ho;T?iW1vmet8fIB_#p(RWGl%9@qW-mAX8`yfCc&Xp_ zhR9(*H&pD?O4--<&Eq-I$IoYXZ>H~C8wK_2UeM(wm%5~96`9g!hwFPI08&4i$Q}LX zNWYh%qi+F4B+W*DZDky0tNu<>eP-Nb6}TaCoK&6I={UGAbKRYA6bJ0{DjqfgFW~HX zUkOLbQ&SD@G)Lfeh_5&8D2RBXx*@TsGB{SYqo2`U)Z<&oILtR%+s#U;I?(G+WXYx( zK3f|fk$dUSye#6%%d%Q-*Y7}k`m)&Z89g*X#+ZlshS$ZxMLqn{ZB~3wTZch?3r`if z@A6g4*F7tA*M=*7X~SX@@!jzg-|z-5c7F(E1h-_F7q1)hGU=ie>VJ;iZ{L>>-xWB6 zgNW%N4E)10F`n+7MWEp8Q{$%t3EAD5b%^U$q!~tno>3_dq^40T3rUu1)s7`z1y`gU-FF$y42cY-1`=b`4*V)! z_pnEO?aUCFf0(DwP}g$oMg!(;xJLVSqV(V{fGWjR-YRzg-eohB?Fxd*Lm8dd3V&#% zhOl~Kj&HGTnipjVWre3V`G>ya{yZjFX?Thf`-%u#x}4EP zrR!P|rKgKYo!C4d)%vJt8TUoWWOE&b2o*(%2umaKOv;+hCz&?5$fJcJH2mfo#bQrr z*3at3IDzz2XCO>4d+02B^UDfn(nDEI^Gys6HcNewaY2G^f3{!az;M zg(=ltIbgtst?RM|xk$Ud?$CU7}cY?aW<@xxdDt1;Z5@6Af zrimciY7BuMVj(m`2~o=(p1StQ*F}>@kiM=)r(St@k+_X*i>{~unR zVG^wP{kav*95CiEKG0Y$d9T#CKVU9FvO|8yL7#_t-2|s!Y#xmQ^G|AG#XMmRO=wh_ z3&VDKJiT%|FwVdPhkh^M59KpXFP7~TArN5HyY5CX%Mvxs%Zl%N7`{Mrzk{D==UN^5 z6P~45b2VVr;lI;gnu*$)!g!H}wOhS?5B9r|U;gn9ah;MvmR1A)f-5PPToE4wz2@M1 zJCz+ryg+`3JmF(EkzyrKO%9m=hQz0oQKR49Hi=C)Y3)_hl-*yvsWIo>9M?2-q7W!U3pyFb5LZM7M;LB) z&!oK|IaIwT*vpv&aBa=_Od#}h@|-CA(~9dcdxl=a!a5C?oqc`hBX9>^LEF$uyR1DM zX)X>LOamQ5f&IlktDNUMd(if{Hz%y`(-C1K_%j zLEJvmW|uNF1I2P3$_c#icmNqj%ge|948hSp$?!{XPw|Ns`xVlU&?o9-LiW$lTtX_} zZ9pc*5)vP3@_2DH@KN(HI&(hzfn)p3MaY!{&Y!5tHeT>44#)av4yKYeSvRzr>{q?$ zW-B1Qp?&6YyH9!Lnj)SRpxyK@Ajz0&v5bw$o4p}h_QB6_vY1$8*T@xAK#;+&Tj*-# zdA`GRwW-}pf{vc_jtEG|<7b=_Lhtc-B00bA&fBL%gYm*o3Ow_QSBnA^f3WgFX=-wtaJDwlJl31s-#2G0jIfZkLt2 z)fr$x(myRC)hocMygM?xf|VJ+?T};>{@(W`;)@dU)F(o}SfaR|ag1RLtC2cS_oL1d zbi_Ab`5PFXj7JtrDf+{r`#zO%viGhuN4U!s^#U`L!R{X2kzKnviWqGul()8!6H$k9 z9(l0p8E={nQEo+qh?fx zu7dP8j~{H96rc{uYr6ZhE3ha@X>LIE{))EiScI^cDNBKbA+{8i|1qRcaLj%5=8f4{ zUFe^pOjKeH#D%~BCnH(c6c(s!5W1J~ieomNvbX`MTi_T-C*Z9EV65Qnw`}1qf*dTf z`a=m5#2H3Vh1BPX5z~YATV`3dfvgLC#F$;f-+R*_Dt=E$4EvN?q$q^!-S&%1(qeaw4G^?_LNY_Pzv6~@yrn}YTmhk_{u=+0=E+l`I#Sry|0jSpuM=_BU6t2QX z1EP5HI%mOtjkDdMzwwgWA8*6IR$nX`-(F-h_|>hPL$hD8Wm38O`F6APmt9c1Ld@XCOYj6}2%Qch(~tOCQ4L17qF z@t45>5gaKArX>@qUa6DDt@Mu?eJV{f!xWQbs@bB^&XswP0$%9If3+>scyEqN>Y5Sx zmI9W&AQGwOEW}v%=KuZ`@+sEw%_XiqCel+j^n*+Mr6IRnu`NV^%$Wgx!6RVxA7Dfu z>MN8CQr{j$2n}FP6{~ALBfM`m2qt)-uIW0l9 zU!M(Q*!0j6TpS@!#3f~MCE1!ysrL?GMVK+L2HLY}9Yj??E~whtzum9#muftE(3$dJ z)dpiAcL75e+~e+B3uB~ygbt39tx`)3kC9}0pX23bD)kbqL+<)(;;jX7uj5dcn&`{E z2W1@y8OC6-&GZx?^$q@l%#2W%kVuhB=R+S2T})Sn)B(hZ;?Htutltbk3Fg82=djRP z-|JE+-#ZT)Hn1$8VOHUQ^ix6xMtNbvbT9*C)sAX#a%=`BhB_&YghJmHVrU!LR{NlQ z1!!3t2-!${vZyX?4gq(}qKxF%`G{p%!7qzZt1=R{p}O=-F&mUu>A<|izm(RY$|O!T z28+&PKdRlfPMT%PWQzTn{KDvI1{8gX{c# zcnml&HCy}_aoR-JF;$#cy2o2F=5Y`na9jhvy(D)j#n||vE^+Cgc~k%Z?>$h)C3&XI zA|rWW`s3S{97b&nIMqw*S(NB8y7XJwLO?BAN(HbP@gNN38Uth?RmN9i)RDfFi-EMb z*P*g5+2U{~2Y2bv$yTjBbOwxP^C0iL%eae@C51bikyrPU=G!cxfBsB%aW<&nPp!WcPXS}iDDfrcmICHJ!Riu6GKi67^`tz0B0o(Slu3&EsQ>qW+ zT4=7;#htJpf2V9SppRl+d00tt7wjnrbw~cb{{G@Cp-_Lh?Ytm^=QRp}g6kZDuf^rp z-__VykoQzWA>l35#9_vBCa}De5Nf}G?|ECHMrMg<&vCJZ_K2qNs*{jvN%=`_K3-I&`}gIEkBzS ziiZ-J`a)UFI$msPiUM4gQqSb<|K&5%6reiqBt8!5XIw?dMgk7ZK|79V}}qi|+2>83Hj=1DQ@hBgKVpZw1qG;lNi z?L=aZ@6BOCgsi=@|MSOf3>k78;)tkOh$>*$3~O-{{N<-{IBnC4{{MH=b$R^;glwv( J1K>vh_&-eMZIl22 diff --git a/golang-external-secrets/charts/external-secrets-0.9.16.tgz b/golang-external-secrets/charts/external-secrets-0.9.16.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ca268d8459d75ca2b82392618d1bda98327bb264 GIT binary patch literal 102068 zcmV)UK(N0biwFP!000001ML0lb{j{QCSYChB#~w!6P=kLMZ5i2^8)i^-`+be8F`NY5+GEHSm$(EL}XlcMC|*;|D5?r z#KK|fPZK{&$A9U+J%#qe_uu3H9{%wCQ~iHs`^(|;7l((>zkB}u;j_OyJ$!!n{QJLn z-)~_pm9|PVmU!M@7QuAxhkj$fuHV1V=9ka^c+Qe+bk7!HZ*$-Qzj*$<@%(>ydPwL0 z^ci%6yYTez#nTs0|KdIEZ3QjuD?fj>3_kct8pP2{@Alavwp`}_d^-BSMu#sR&HQwl z1j~&6_)6RtkKY$>!6J6;FZ?L;uHwXdvzoxqe&(l-=JCRR>CLljnZ6v4uY+v9nvACL zVqCd$+$YxqAbx%NlP==#x( ze}5Mzv-IVop?9N}KCCQg=*j=WUJ62w|M%a#!_ndYHF`RH`uGvfmBIgqUvWGi{vE#b zZu~F|qQ#Wm#`phmjeowVeO^pD$lsjIz(!rgL=R{}+cZO8EbW?_d1j@c%Aa z`TV^(OTCHjN8Zd|hVi{W^U~FH>Zj?|Dh%(vAR@$-F4@%g{`kX_*Tox@M;fVq18?O0 z`RD)f=+SB90k-uMFNz17lV9`ACI z#fkq2=*@8m=jSKdU%dqI{3?OfJwbxxe`c^i|G=Bvd(a1PD9p#a$G2=1W{>sZz8yV! z^bQ9IBKUAY*w%ypm(6`|7F=EV2@*L($f*}!>0hQEi)P+DzQdIQeYy&+S1=BIxOg;W z5o{G`;|jXKhGA*mYa(VZ5qu-gZv7o-C4gvCWZuL1Yw!P8xbI7#Hlu90886uW{t@jz zEx!L}PoIDP+`a!@v_JkB|DTUueO}@X#+#0h7Oyw{_muADqyKXZH}j7_hJX>SfV*jU z=>u<=cf-de@Ai8farA+OE1&oL8CaMknEBrScv-TFrrwM1=s$zS#p>!R`0Nda15b?Q z!?NH%AJH<8@%{SndgTlpCH?n`g~3$-hywT|+Q8`1N1u;P{WF{aH-ngM%7BaXQhabZ zv&y#(V}vt!%U&gdl>K znJ%?>A-q?}CVpsgv8j8$+wy7Z7mfe75We6f696r)e(?Vrc!OUD_UI&DEMOp7s>$K- zj(n{^3KpYuKBnapB@d!$xSF+Wal{wV(lLdDnF2%cR!lU~-jUe-k&@5xH^6tJTx=Z$ z@mNWRId7qT@;`tpatkl&X(;A7O?n-Vnn(#1}*_@8VM z=G&;fU(Em?-uaVx9N%mm@MSBf2I9lPPPRAolWd3t zDv86;Pqu&0$`iW#)(Ri{duIgTw)Ao*FUUXKGz+#UQy0FHf$f* zvy4Skzj*dKho~`pOu>Wl~@`ygk4z#%mN!VeJcqA%Z(t04*0l zJ`lJG6&3&?u5M-CRmg7RRbnEb(P%|5)1O9S3`vx8$?c^S-grL{)8aG$WP0yC5r4|q zHLxa1n?U?i&b547o}mKG;$)l5)Ckyz*30dxwdjA#+*q#4uyhaT*8hH2(*HjH?(lo3 z|J_9sZyFUk4fsgl%O_EsRcHiueMhoGGV&uf3H{l(oX5<)3V_c^$G3-%Zh~m`(mPR? z=n-(;Y{oM7QW?WrSt*TisAH$RTr>C5&M*a^a)uli;&}uSV+kWvlEwdc5$q6cM9=x4 zRnegc*!(>mMF3nfIHmkkmj5ANloB&)XA*b|wbJ+rD#wB;OF1uDzW~wan20hBl=!y+ zp4#7o6w&Bg)PlEo0k{mQ&{(@!G`CARhwqULbaybxQ@EPTSiy5`cC8ujUjAcBl zoC3DWNwl2CU-Qqj6XAad3!CrbmT9vYZ7&yDJqwaj1oraC{u^~%#ZNVsCDU@dEWc!rhL}{Y}D9g0T8PECTuZf8F@^2j2g>#qFSNya6;YNy3ic`4s^o7=SA|KxMxGF`NN@z_Y6B zC6*|J;-;^wACz%k?H}<7(;{9S=9vC0PFmT*&ihDHByko`41JLN!8GI3fqns^6%uP5s>)6Ke+XiN!}T7;XwX3Dqqw;?hxatf321PJzxEEDSxb8 z>ueFExX{GE4v^i~PN!+jw=4{16ly1KfeeacyIgtG>HsegA`k{F_uRk2F(vF< zb_>0#Xt9sIrK`zrz}g7Z)jgh_Ep-D1TW+{$gZ*+CtvziP{GT{kdls-u{{P`wIsW&% z?|*Re|4!Pb{GT-S$jh;@?61(cc<4O~`ngSM7s9@kdsrEitbeaCo=!&4jMKBK^e*QP zmOrsY5Z>#~1jWA%lQBMLnr_5rfrJ<>w_!S z*94T&zvT1msDKSux?f6PIaIrETmj}}9WHuzwiAXLoNO^&k7UU)?+@PE@P9JvCkdQ= z{FF z@%c$wjpL~*tu>_^sj1I}D)2<9sSAX=mQoZ+54wd`C`>a+siS8~$|x{3^hvX;Z+hZs&U>j9nW}ON8}P9H17QxUN455 zPgX%Vxl`YY4=^Vti_iWKIImXPcLY9;VL8)#U zqd={WZuZENd6AUPn}hWBkcG=RI}{V8fJ_!DILY&1nCR&2^uu=-r5`-6kbd`nhT1P) zY11Bnc$Gw$ThM%~|G&G=-GN3Da0DSLqzKJ;s0niXF!A zf^<~)@O_-Y#wPd5pG>AXuM$6=5K*7o)@nV3_ zJjm|9Elz!jIoZUT=?rGxEWV3)x;9J!sRDsR|JDyh-17)8>WKOmhdYg6uv84?!O%P! zde*Qb4syPs(W6I&p)PzMmV&uNYBC?wsUS%mPr`V@lM`d-@zK%A@aLmdHXki!+HlJR z){|sG*~wNz%Z0zUUlzJBaK}Vg3g2T&026l>lYP?t$y+ z(KpKGRhpP9*x;q1)k*(>Fqq|GA!5VZ$i#qrv-z3epAd}auP!e0w5N1#{D|_dH4u`g zg^&e6VOCcB5(yKHD$S%kt6LZ#y-in>MUdgO_-}xEh6h<4_?YN7p%XIc&8l7C!5sry z43ClU?fUE}h3gOx#Q5~e(WJ!>IIs&p=~0rV$6Z9`7chc)qawGgpsYO21IM2=2pyY0 zx*o}|(0+*9=gBbPO5M$Ym-UjIBp}|e9z*Ka=WjQ{V&BBKs5bELO2amxG;Fxg>R;Qx z!6vd-oeEk}->C%ucg1fI0;!;y;wMl2R)!(bFzQtEMpDVO$n^I(@_7noBKR${H$I4RmzpOan@}H}!5GtE3A~ue z@m!QX($7aGCCh&V-jble!gNcA#raoZpKoei4_t4@xyP8)n_?Hx^@U(SU9TF7g zMoFg`k&?gh2)iaQn1X_)A#%`ubFmd5atSw&Z%2M!P7t)@CmL#us0I-f+dAemT|c%P zzY$Y3ZlU8)Wy76f_?_4utUsa5>G%(R2#Q=kPQ6b^Sw8XX!`ibPc^8}4jWz6pvE zRhP!+>>0|PR6{n7D)=Q>6WbhXLpY4%FplRij>9+`bd$HY`LKpLzql^fj5$`qnAr(6 zA4?zUT(kUb+hR@8THGVYd{G{lglt~;p(e{@>sX}o6lyA|_Phf~6p%l>3j#?Qs(mof zY&8R-REeIiHrv;JBnDQ%;R?P_FySY7t}Iv(k*iP3S*J-Tx6}HZo^;cgcjt%U@FqfC zY;MJ&8A&5?dVX=_!9QLfpH(kp=hS#KoFFOisk$0$iJIeF^bMr}pt%K^zc8TM);NYG z32Wbs37P63QTkihfK(Z8&X`2mUf6vjO`DP>Lx^@05p3Lgv>CbT=+gSLAKeB?9AS>a zOYB$ky#VY>?`$;*gXwV?uj({PCfDLsakdf)ld1z4UtgEfQ>Q|aiP)xg_-PzPut~~* z8_jA_J*R%&j|H1nK04{tXq#dkM@J`W{`!l7FZU`A!}ty-$=8ZShE%}nfycrWi=6o$ zaLR33*XwwQY2@IIWSaI>{fSX04La%QI{xPE;rGvK7pEQBf%nVBYt-4&XW~!C^B`j4 zzhC>wf<;Zo>qo0a{Z$@zTny|{nYy80zMh5-?Tc)Eno=EJf5*EoFO`Xl@i+>Y8tsL0 z=-TgyE?&j)1a1VcRX3tjoF>J5R7RWN_UJWtAPO82btglpWE6Bu!vS9~+J(nxB$hvt ztBON0tQ^tZ7{2`uOgNuV=>Le*)%LjNCx8?!>w%G6pfm0Suk)3=K!O(S%nYq zuZhnI2(Du`Wyvgmm1WbeIx&7s4Xi^x%ge?6Q2Q5x>;OS#|5?LAQekT*;LrRF)~(r{ z@s|<&pBwby1q32*;TX{>qKx^NAUd|aWSJkaCgpFDYvCPF@|uV`Cg;EM;*Nlhb(5lZ zE~q2ztYQnmwbK&oERoexD(yZ-e(2#A`ikZ>E4v*jP1`)IfOP;g`6(72WED_kqb zZ5Y~e`9bO6wGY^-rd2FDXxI2lX;p6WuSCi=;e_y&XL)aKUH+efjV>l#>@)xSAv%Co z^1nZS`oj5t?xJa~l22-!K)=oZTFuy5EZbX?_}w{-ekBg0wOGQ)S#&KA(b7Eh_d+;) z@n+KRxu z{wu8r5m=g0;olS7*mqE>t(%n;LgSH!; z7#@6f90ciq{`-^v7~yw+``h3gv#$=m{V&n0W@h-keLCrjI{_TCsVi>nH9}#66m;B; zQc6(umkGTwbr#mSd#dK#J)OJfzmmIWEwU)Mc#{6ePf6-U1VB75) zeN~o=T1yE8VV+r*tj3@$XX-Ht^>&t_)3R;)Z!UOqGRY72&bbBE2WX?%~2l|2O>me}7xQ z>SmjmnLRx57jfoy_zKvX7SH9NB?AthOx$?dj{r}{c-(7VeD*}JP-C&d`|)V>EzWS| zXVZDRjnLd>EEhj7qzbR&3(X#P!vDkI0}ZOb2uEa54w7k0@Z=ggM{G6*72D8wjbtQ> zf@wVK_CK?**Ux~l#AvfMp!*)!=M6zCXWs^3kAO=u>i8qDWG|jubp7T0tx<0y09l-s zk@I8$;BWkUDUKm7BPSo>5-G9Q0mhEZFjm#T`^0>$l64Z9lD2uPM5ZMqhJ<=ZNMP6L zm@_h*zh6pZEy(-{m3sn(Di>pk7ps|MEIl0^5l zJKEMZ%-mt{PQX)c?PKWY$zQ^oE~H||a$Lwk3mg|BAHX}De-JE~P_ptEoi5IUR5l3x z5f6M03gZ&@mWTHk0H^ajxN4zie(XXH>M?YONy%IfHxNBP61ZX9@qjvYj6^ss2Pc1O zfhsSi3~ht1xT`?WT{#@4cYVvpyGR{EhPCx&7> zLB$bj+GkwA()S@9>;iOpKo1>GMoB98&;K&=(#A_G9W{~tzD0LiwBp3P|imIC>hw2M82)5$BDcy)4TPa*u zw>2s1$8oe?*ilNzHJY0aO@eH8=wQu@Zx~kN6<&qDPo$1LY*eG(wrvLX+kS)=bF%~P7!H6t^~(begzYT zf5oJZ@FG2uw8>2pco%e8BL7Dtw&W)q)$t^bC#nC!@gxt!lbGoX3J}MaoYo)+p`7bm z69fncaLpPzjp{o4*J4;`=qRqq4$?egCF&2iR~CDZNqr5VCId6xuP$HQ5V`ih~YztS7he_Un2y)TFyxrM0=AGxW~alBXtSeM3dDof3`Ea}zPPWWhue9_p!cd_o7 ztg#&%{Wz(Z&Gqy{u{UFMZA9OobHbt&#CRiSYLgd<_~>2+Tc}w@=u4!b#h%|LT?<)f zN+QJxw@YsIjmk;ay4%J!F|YO+$o(p~7a(lN^2zpT#I*{aID}Kpu&a$HbzE}pJ$Yhs zIsLvHOWvd_N!6BJfOOxLRN6+B9lm22ZdRW1;uexM7olNr8f?~_)4bT=o^t0DxG2+j zF%i|RIf<4A5Lg)TjObe=CyD7HcZ{xSk~CXr*P1?JlC!iHP`RH%d2K;K9nzgx^Rndi zAj^jE4AZElLp;Sd+d9<#`BAOoBGom4b3v+U&IQT2AUPMLuD;F%Nj2w!^gu31Jvar4 zj1MxYL$hy?AZ3S5#!AyWeqNkVny=Y{5}xAu1`A9PdPPrKdVzE6EwX?fyT(*}O24IF zg=LqL>jMje8J__|&-ti>C>;_{D1#%I`|g;u%JKF|5@PwnGYJreaF+E zr#@-Ae)p4DbBcmjEUG65u)%0rvOFI)Miq8m)?y|QBfqY#V^b3x+J!l7@a5LAgfF zsuf?rCD;Aw!9dkG>#lfp-YzLsrO>U%5$R8I<)WW>?KvW3GkJC;Ft%Pjf$rNOZCM$q zFuej^vIp22!qvDhwT?3E|HFyd^-qvSW*L&It_pkJ2lv3dnx0~4MmHX`7Udul8n1OZP;uy zGxB4#@#aindTYr%B(aW6I;OCXN-Rc5H&qx&U>=2<`YgR>kZY{aeNDF{YbBSJVZ1#z z*}kveT&JaBj;=);*6^{@*z$Ds@0g*tpsf|&c-3omUuQ+U85Stio3(e1`cRzmk>wgS zO#7kRK3Q$1Ub@9LTyHY`5MA$%qS;#CuL)f{kA!@wT@eL!i!;Ps#gDp6WaZ7=4v>#; z0Wn)x4f%64?ro&+$7Tu65SEcNYvSw1Hik-SRBn|why5J(Yx&S&zv@R0`&FAIIBk4% z^O&o)d;)s2c_l;hVJY+{7etJ|c}skM|A^k2dGEfsSwoe;HP*Q0(uS(4&;`YP#!20> zO_Vm5l-Zs_jPoec$-N4JMA252>PSnbi*oYfpuz7~Ptb*4i|@;;PpNFT&uU%&x+vm; zWz+eqJQTsmL|p!er>@5`8>s&zhzMwqR}z zCIAix`~z*2`%a6kbEowBeE)hge996^efknB$mc~5_}M&8IkfRk&V!}!G4`|EqqR%1 z#N9vS1pIcMMwkvD!~c2pIlx*7c!VdhpTb}1FTFsDFR)KI3BMS;+7U)y~ci)loEd>cMS{XvEvymQ*l( z9@^SC;ul`;e;|IR8}=tppELrZfn}XSzwny~F42Z*nQDns;IYBSKCgNS&(Y@zHF4H5 zH9hd|=5fl2g)&YK;9rA-R{MUFFYDW*2tA)K)(&vA7q!B$a5jtn_TMW% zxu*oWIf+xHibh&Inz~`)zSosp;;q8f!aV=nG z!spsUYzMsVj=A04@w*lrudz{jI(aKBcu6>aM_;DPN8_J)3*rq5@G zyzoxB;obAYCSLAc9qhQ`_B*I}=5Aj3cpf8+^DmG^rnvl)k0kQCJVu&D_Zd&Lh=jJH zl*FQvskd5sQyd!lS#ro7x4doNT8Y}ujpHd(uuo%^4(>9Cbx5OW5MqRmthvc)B>Xb> zr#Cw6(5s2d9Ce#+*;zA=8`jjzD|KqFP)Rj&%VQeUsHE=-ZnyCy#ag0$mZ{7O{?;8< z%MCG*2mpn!>lUMg0V=Hrp4AZThLO$zx(MIUs}w~p{){uMgN@qW*ct^WUsXPlOnbBA zbgF!lMUIqSN>5%fc*wK&=IHS!`apl;OoSe4e3Z$-`5$x$-eE3`EV(BNV*^dz zj3U}_+lH$?r_Q+KyZL>chkyCtwX&(Sxoy7x_DME)R!wp1-3Ol zYj4g}^2Hr74-K%Y`7@`3FX4)=B-k-~0g{`--&PZ)mCM&Eh>G{epO60dV~FuMBkmp8~W=V|8F^4{?WOA8~Ar3tUz0h z=338-e;<<*thQX(YfyaPzfYh3@cr}ep1=6Z;qw=VPoF`zr||b@-~I6X z@GsueE$z9`R+tXe^Zo*&)f_HgW52H7ztAR75Ap#|B>q895*CKX=O^j6`CmC!B2KI( zHXa|GmiP$M4B^#^cxua=zlsb-k0_?!JEjaw=K?97pm0I#|06x_q!P1%YbCL>uq3UU zL=xCBi~kAt6wuE9coEEr%+7P|XMrQ+KLrT7FtGex;IYvZu+KY+F-(m5u-WW1`i*4c zqw2D;=Wrpq0=NR|I-Ig0rm<*3kbnL;UKa(I0Fg_)!)repp%P-U3c?v*jifr>?bFfW z^U>2sk^oduL~Z`6N2w_9ex1atHXGHSyKvNl|j~Whmu8U=bFdw~sRbgLddfvgpz?>Z!<&yY+{`-^v z7~xlc``h3glj;q={jU+{mn&0Ul!eb4=4+<8uxZQ@AE1=mECpP<(1OnZhSAa4>4)zw zNTSeN4P3Ee1cyvK@ z6~FZ6S+-1Hj>p$QCh5pDUMw&%&;6KCRxnwi4Qo8}Z~btb2G>KDOy?jPOfxv`F@SqW zn~8Xq^Tq5N#g5mq{xvc~T`HQc!+Ik!GqQpODnApEgxfoRb#bW$uH(7!Bhv0}^JyVu z0Z@Lzzf=j20IyT_L$1ptmL3I>1*$Gln)K7G-U@n51eM~0mxwNERNbc$^ji4gF{{h5 zx#hFNGfIbeAjYTH6wTVKEfu7y@whb%gId_aYlMy{s^{v_mh7J$N>M?M*L6)UmA2tp z?Igkfes%G)uHk-yYW$m*aBSCTa~X;MJq}r#BH^pgeT0hh(m(-sL}qYaq_X2?f;A<|74N-qNeBgvXVwz@r;;HwjEzo-a!6n0la5g|Vxc|XfUJF0HfLZ$Gk z8QUNm>LQ4`x^$`A*o}W5!r>TsX&;Hs`4&?S+f=6SO7EkoDu}Q`b|(Mm0|riX!hSg!vq*UnRZP&P7y8sJ72RJO|I{PlJuq%5u( zzS7}M`D}D|02~%E+LZif=!wXE_ToCDtcSRgzMU+z3|1}sKwbS3kcT947hHXGG@W7s zzs^ZAO5RF$RF$ejd|{QJ1e;Zo0LmMCdSVj#Q-B(-PHnsdpCJ&Rc{~$?4+E2=s#Z}v zKvz*$*JOTaU3k9MA=57{XBTA-b-A_SYdGgSqtG?09i%2Ntakl|Nm74aatTZ3IpUUV zVe{v1GKIWs`c?J*@$r%}r5Me0ReaqzcJXcrE zq#=U)RQ$KR66P_}Wn*K$JU;K1Aa518n-);(ZZJO0h~$^Bc?I?Bz6VTWol0cD40^)v zvplJe=?`jqq%s#MvOP#~bUfQ1<*A=K4=j*HB(Nfl84=1EaLf~|uevQDwcKo}1Y6Al z)WsQRPgwV{ABl-d3D`ct0zScuWx+zFuPVcp&eC|IhQk3sq5|p855wV26yHUfRfJ}y z>IbLi7f0w>{QCIJ`xqxTVa#UUDcU@OTH(3AW#nx^?!*$j>Ok3Y=|?jzER*U_s?NKc zW&Vyel0MjGRp^o06*xsl^}ZUaXIt~hFb{?WF*RSoPzkmMT{UU4qqp%|jm10LyLm26 zGCTrC=F=_&IdRDd{@Wmd29Ba>G|Uw<*mk05xKu3mkr)Es6;azV{WnMl>ZCK%tvKnd zhb=fdwdc|qM@yFmDSWW4b3#YC8C^szO1scwjB6x}OVxo(H`PoQImNNAh zW)=l*I!^fP)w?nJ7QJ{52w@tdCiD2no6sDp4#q9!#6ZD6cRJw)Z}QAW9E?T8xl>T5 zUS8DKIVw56c=-PV>1gx!%geJ1M50+djYCq=lM3D!SxfHW$}GGj#`}~nq5aZej8$bv zINIgg3)G850QaE1zWi03ELir^o7}e+JunMjSsb0^Ii`VuxKd_c* zx0Q@W(jb**04WJ!k`a2){99Blkfrz@-knyRBeK&#H+ zSk|K$^i@X3po$vrsHW}*T&DS3I@RSZ0qy#NTB(dlHOsQ!Vp~_;SFoX9=c)jqP1vNd z>`u|mkoUFo>=fS|hw*CGi(_Yphhg1{rGF&X&@;_`jL07Tn=F^CK68f6;;UM@eVVF>F?B9FBj9=IEb-(5HBxzGq0{(BH<& zQ=S0G)Va}OY#aMo>3j^oC_voc8v#Ruo*Gmh)<~y4XodQ`d5l%PQYk75Wd_fPqi~kl zBgbZMSbO8&pPm@GZP#uJ3G`7ukh8Ek1xazOPC?=nB&F_FI%GgAA|$LI93?KD!&44V z71rwTl*3b{?pty#D{@>mpOp~d4pq#Fe+^fv-3hB!-ae-fH5{XKlpXSPzO;^kn24lEFgThK@vxpudhRd^Ye)NSv*ZgFvW;1 z*za*Pn#PMU%r=D046iX050AJ<;0~`>Z~$X@j&M#x=sB8ai|`w6e8vQPLv3+AsAYb; z>#W{ppp}8^#4lE@^L?+P<>sL)70Z5u`?w33FljDeLaxFEOgQ#)@7d3X514rPcm*I= z7MfCIt&B)6Z<82<6*RRaW>(Q-1>mo$b_8c|D6>MG2>T-^DVShaBehOBt2d|ga7vH0 zx8SJGUMoE$-Y;oY*Tqp~%h}GUet)R|Nk?Z2bMY~quF9rd-+Iz%^V`_cLBMHkrS|Wu#J{;UQ*2}3Hy`Yj z+xU%##J<0@iMz``h>IV=^Og}n&`sP{%u78DmMo<2Iz4<%nH8Rs_Ow$YP!<0O&hm4K zq2(i5^3{fZ6Tj7`NNdPwtwSaEjKS)Wxw4{-rcBlL87k{#8#7YtT#tQZp!#5*tV@O( zFijj)@Jp~JwmH^@a2Us79M54KhjBLQhA5&d)rNq@%L*rE$_bh{J5Vf=6iA3wEcrGF zAOmW+CB9bRy>{60`r@j_ZpW=0V#HH%iv#b8*#5Ver(G1YE}~puNuOkX#E=g>P#obw z0pZtYuGc2!!q7}we+P0l@pokwMv*bNj&hUkGM;%)Qs4I&n+@R~!$9xZO} zAoZd6G6Ep6P`@Oh@s_wQahGLJOmww!8|&&~uh>oFgDh3uzVY?bWI_c?1P&`K1ykfq z$2`lzk_AcAOEIBvbw#4|W`KFkg?S@U-U5je2>KuK9a|ds_GncMZEV$6BCds%?6$tX z-UbUWbzmFfxwi9gHd168O*VO`c%#>Sq}S7B+9<3PUMa9e7w@c$C9mW7I`l;zg0qli z=w<)Vu>l)8{{s|y;INI|5AD3yoo|cbS9_-j@Azv z$>sc$4=f4TB=pmVk-`M$Vpj?f9uY z91+E-%;Zx0E78b)vj#V-iJwG%){M&wFnXi9TQLf(@F9N`UkJ}oSh|TmW5GUaUN_!h zTh|~m?P?sy37xEbE9Wfb*^0QE{xN({$%^trW zF_wLUYNG$F^=a!Ty>`A{b*YDRQfd$H>t)(~1O`(@) zuSs-Df$W+HDcjV+=EdN zk8hujo{tX4NRP+g)OI*z;d0InN5@BU36FbZKGw;(Cy60mB%Yf9NE$3mVh@##n9^^- z3jpGG;KfmRFOvG8C2+ve{-CSay==SBbH}lXbfoiGR^8klWxBg8;Bj2(S>YH0w72%Y z-mD|bTjNq`O#tW|oH1v-SAZ*7s;y~DJo(@tDeO_VxSxK#|{{d|0SBH|>8!_Jc$^p=ko$F*AOFJd7q z60!4qmF1ua;SRCmEVm}nBcyBK0Pg68u-R0BKaCelmShXRT`aIcDaZMc^1|>+0NPx1 zDDA*6q}V-MrSnd`lF?!L(KNZIjdb{|+HCoiKB(L@-8)5!Wd|bA!Z@rz^B|B=@^E)u z33Esk6_HBJ=bFeGMhg`Rp?{TmlaNI>Tw6eT3|RaMqp*Xpy`aGiOU^BV$QP<)U9&KP z<-lRYLK`7D7*W+aPpc0!jI=wg6IC<|ZHH!3w_z~o=zyrqw5r3YVAo9hOQ)_)FOg+U zNKp?`yb%7epdcJan2``yp}|#Xa1|OlySfSuu0q3JRcIg_Z;XaNNQ$8Nq{nH2t5Qro zryUIm)^?Elq_Y<7ZHwKm6LM%M0PbTp^OtcW^opJz)d~n@bC!r5J`-bmCpdU#{P5ny zJX@~YbnV!-k|_m-B;vwCBXwa#q$Qj?&bRIIxjEfsaji~wxlhDfw*A*#?rVY+eBtP` zXiQ2@#0OH_fN3G<3T!G!&g0aaX{kxr)Y?_N(hVfd^VrfS*hFyW!`AJB?|?&}G!JT zkS@AoTogE%cdOi0PMJGTQ1I!n4Q6Lgd|ge zaL(j;6E?lUs&w!~7ASeQ=8?`Dz?IJM0JR`5y@A+EyC#x1D++{zwin`)Z5LUHjp~mF`9{Sd#y+`Z;vQ%d|=);atPt{BhjS7kXb-(JvfB2X>$CikQe z#p}j%Pw8=N2f7C`PZP*2;@qmsKyttEvw7SF=>5tlc%0`-q~Jdd1Qm*$v-8ydgF%Q1 zZ|i^wo1=?nTXA%;hb=g|xYu-X2eM8f=%y;`sG}0{jz(B?T9U=KIMJ`ynXFA=usPIe zwiSmud)R_QoqLTsjl2GK*E_fVkGooCo#Q%Df3b`c26U_ndE?0o&Ww$&jw*@R44=)XiqGmN zQ#|7pN0vc!EtGKlC>sZUME-@l}b{^w{8-lGfs<}ugFkK zWuKtewp_XOlB^w9Kn~oJEK_n?L1Aw@{wlDAt@x^J(^G|8U=SuG4L6%#l)Srr6U=^j zqiCYAQq>|KO?W0XSKH=FhTgQb?K%kO1>#h;PG!3B>RB8{Vt_KcWL@) zQ1k1U{-Cypph}#3L~^6!*`CNw{k*&YxuO;#QMDNb;v-5WNWqSXh|y&6z`;X$I@6z@shZ13)QL&a^#9Y$c+#p{jC-&mQdkdc_eHhmRcS_U#uEQ zs~4sew1_$ipSJU6@Wk*pQnu5SecHR$sl#G;ANP#Z^hjoQUsJOe(z2t9nugb7A4y3c zWW+jwb3a9zO^OHG91|8$(#i-=c#&aAMs8Uc%#eiWc6dDj!N~hr)~#)wCdjoyFaYM& z3smN}%geJ1L}pn$jYE;k!wK$sr3xUy9)^NrH4_fSxI%Zb-7=RFirHeRDi@#LKqPBtr=Y+Nweyjb#XGrt=Y zM>Zl;fLHEVGCKvz0?!lhY=0$*eyR@bWquf@0#Ct#i`fAvY&K+9$R^w+LFUWgy|mz7 z)~=_8A&?4jgB{+iG*~PFo4_e2_tK6?x~?#emx6pvSp=WJO~4ekfCmZXqpd7xj~pO0 zz)K6kD1O8yp+6It7qMLXEuClCGJQE7-`(AfC_)q-0iMz*h{v;dnvP|XMH1)6iN6em zX!i{Z!}#u30XNvyueSmFbxwQlyb6;z1}HV_)QoVA%?)_3Ax&N_Kus~q`OTCI$ihSG z%4Zp+cooOR@5-wvqw;M?@X$$}z|hVB@DKgyHb~+K%U{uDLd$TRWcd7H7VjPO35KHb z*GOn~qx7%?&Ah|>xNL%+PEo!Myi5};xP*R5q=N1|XkYDXoDZ}quhFHCw_-a{pDtXp zNLx;$%R}Wbe)B=;)Zzax;~+BeZ5(i2_h3Zi;Px2~Bm4*a=o)KF(OZh6yyC=Qj6&&v zFCkrBT?L<8r$DCZ%Fm{AeEu?x@l_Hp@+udqOcmx!C|ioVIAvr~g*t%3k(C=9E^y;g zN{AHy2@=>x#E7ljnazQo7e)n8r}Wx_G!BWIsi5N22aK2n)3ht1nNxBE^(+8k4^9t; z6Vjij;V{@YsZ{`CJ_BMeaJ|8c)2eif*XQ2?>{pD$2To(A_sUXJeUO`BW$m$Q(`}4) zIn^*e-^W5W6OS?%Wjr>UC0Kh=$_lzTAgxw%le_|+|Cs@e^heWp@$#?Fo<1Fn9&dVU z#iMQCj<5sXKI`dHe-M~Lz(k>?T706Bez+WdfSM<7aCgq&?K8kua;}*ccTc~x zd}~sf?)I>&LmRYqleeDVrG^fj{N|lMnaA;sQDXX!ysuSidgf%EV|QhN+GSI*ZQHh! zidC`Aif!ArZQHhO+qRQV-TU_F?$IC4`2pv{8GAo#&AGJRW3zQTdEs)!5OzwoN+nC*oSsi8|c6}U+($rH*1P#*=6T%FfbelQ!I@TvP z46jm-h2NAXbk11FjV7a)M%ZO}+2I7BXg(LmYAH#7CrDWxfr6iO^c*P+x63Kg?fo^{oSAP$VS@xYka<6b`+QJN0%fqp;=Rlg-FbS=?k&pqI@BrHC53 zx%zM~Ls=3`b+S#O${p0>K5Tn zDI%)hg{A*ua18u_CwHW4nEu2htUHR`MkF@7)8p%-eR$i-ZT`Ys4A2RZ5aCy8IuaqC ziB8yR@VIpA1?G9J5sB_|kHtQd0XX_rzN^RC?=$$bHtgZ;(7CqrebEe znfrU5mZEcx3axDLC3&)K%i~S4xZW0bar4M6Z6^XQP?1}PJ4)h~hVz;4{D>q}$Ql2_ z2C;LB{vI)!{?1Kv|2C|*xuu}J*D!P?U%ccYNcD+kxD90TK3eX(VjPU?+6;b5IPlbS z7>Hh_Wh+!A&C0PouM`q;!yD)}%d3pTGE)vrcHTSOOk+_gr`2yLq4a3G72*Y!sGupO za!7Wwg&Z_;Rc+a8KSgAj5Q*uQbY%prS++y8Stl{oZ2t+qMzDpv`YTcs0?GRE0AY&A z=(6ymWPIyicEo}UVa(-HZP|B#AcN;gs}T*z)Ry*fjOck^Ih8>sY@JT9Gl9NA`jL@* zY-#wBF$$Si<-7f9eD{)HbK{6cB?3xNxYRrO^h(~Ee~1(3d}w^GKW~qTx==PJLQ{x2 zqWTvFx}W+t+KwVoy@q1mF>=paJG$vl1e%eMuy%2N0^Ze8sp>Kf^b|Uagzon5k7u%P zhQ8{rr{-U8UR!Yg^4)H)#8TR^VI_AEvtt8ER){_TJPV_h{WrWxFzaop!?;_u)90sC zm*Mq(h>W0zF3Dnh@7_BDAZBEo%uKJBtGow6h*Dg8T%rE>ll!qu|5kS{j*RzgCTKU< z*6-j6pFlR5dpTbC#le8^JY~g@*kxpnF>k_2{3Xb}2wQ@5Q=~V;@g2cV|G#K_!So|M zcqonVyoqA8;JjgKD(T1V0}T$bF1|`hVeJux+MLlU+|`>js25TnrXD!4X5rCQd%s5t zQV=FdP2zSR05V&s42bHpUk>c+!x|7yt-i)6dZuFhQbFaA?w~5 zjF4bRsn`P@{_psgf4K;KfF9Ha&Xfs3YkOAzDN=y6F{K=IeG6C)q~8f=Dc$F|Sx=u| zPgU8Na2`6NyRBtGo@2ii;<@1CiZvTm02M%3`HY`^$-Y+R#Cw!4RmBm6xedHd5$>WC z)+g ze*tuKWEVrCp>DFI!l1xVqdej23w8&9f>Q%Q6lv8urx0sYGwmTJZY~5+AXCzXk&Di_ zv+vd5flCsYpCBTfgbi+nD{)epztQl*#BsUahyFfZJO(hO!+jOMD85m7lf1S$klaE= zem!}RC8PzBZ>b(SEud7W@ne4g-TL+A@82iIM&3ECz%U6Y%Th-shYj;N$k<+;Daw!W zl?&wBPci6#%--w0E9EpIOPf-O7*!ezYW(F$&yr@jOSXJs4Q{e{0IOQit3_p-EdB$h zb1UA|K)a3RpNra?x1r@3StCq3wnC_K$!hR#U%i@|9~qkUCcQj-@tX-XKgnEmgt2f7 z(HMTR=|Ri|oo3jG-#*$L&;ygehuqErQQ)gX*eAOJCS=Bj{$A^a5uxt^_+rUPIK)9Z zn|86mgkg`YVoWpHhNY;+X~o?Gl-?rqIY(T zvE<1x3Wxd~j3E~7j>r(Cx-9&P2F_%uj%8A>o6X{JvIsIw>sL}Pi6%J?U>jh=E)wM- znpd9)m;EM|Kzi02EEDnawm-}G@Tc-!PCy(KF*EO9wwZDk z8N`30>V4@~Ay=4QN1-scrtNH%wC;LB)pWb(k+HrCOStS1Q}exBkhwfdU}04$o>-)? zcO2sueU!KyFH;}|(LlNvqW$w^oXaDDoff%7UhX2Zt>sGj69a@Gn?r-%P0A+IeNBQ(0s|1`vA-c7;v#C&+PfisO zbca6DL|NI@Ft5mt>P)KAm!RXdv;O!6%1**;Elxwbcz}86B{8iA&2i6}Fk*46UbXI# zwuvZ2E9|i2pX}cg6Ms*aHL>KH+>|DQI9+Q3GeYKY+#6D0o7lDe5n3GkZC%xMOpsNo zlY(ZbiD4yiYWOA`Z~&$Yfu8xK^!K4&rQe#ra>;c1@UGOMv&tHhw!PFYb-ifRW@W+>WwN~tyM!iZa4~ikWyRtyMR2ji zX7j~28M_FDFxSDUhv_idCDB+7W8MoQrB@bZ7_yVaaFPxNK!;w|<97HgAQWybzuA;}+3N!;srI#ak zT!S7)#Nz?axRUdWfN~Qki{8WDrBY_}^5b*R*!7iTxs6=98mE?=HCI7OOgr)psa6Fj zpjU;-Q&#L7uG$=b;tpa*o_!8{)mmWU*!z&7aP+IQkA3?gw}?{o2T(7b+56&_4N@$@ z(=oJ%_tyopz+mYPZrni7bg8d-Glt>aqK;MxKZ4xBH}NA1FWR!fg4Pn$R!FqPJ=Ld9<5fJ~vcp|}2_H>0ljK;OM)F0D zP=-7qg-882ES?;oud=#w@p(qbuh5!RyEs3KY!S0e0S#+uxdUWjbL(EY%uZ!w@eZ9i zq3ZDbv6SV1zdNM4qs!QCsl2lRw=gc!L0m0wTphWsbMBv(U#RyktlN-qZi}N$dD{%& zgX8SKH`8HMA}ST=oZKF)Ca5eTyv08cSW5f-R;$;9y7wNs`?iA1azH3Xugv^(nqXo#D(79q4JnAQ z(i&1((k9p+ShX^1Xdor?ZaL{7vnl!$rJ%}{Id6|IP#5P*>WUcUEy_sld_LIJ5X-Ez;N*FYhW477~kcooRWxKpfnyMe~8(FU38IP4h(Eycb<>2My z`b^x0>~gU(rrzqx-O?jBGlB6o>yQ;ubw=!${CgQ;CU5Vh5sIu%Lu#YRpZ(WGaAfHn zXiJ@)LxNF}cZDlxao{H{wg+{|vH|43>2v>rE?CUMgVTDt8sFgfbMLBH?XjPDl`(iW z=54Cd2CL&htyX^XzSlZCXkGqL{(Qc}7Erk8$80-ZQ6Qe-CE;F4?#Vt1Btg;MmgU%K zly|jKlgshDf6Dmoh)qd1eljM--ZynIIXtPd4_Hf6TdWxCK>2`O8x*K9!a$dv6-^*= zKn4mnH7xLfJ+G8twg7u7rn;&z8Rh5wPJUYG^+*HHY6z=4v%x_-%A=u=rx($ma1oTj z9g07#7x9g(d`9LT-b()i`t@9^%|6uy+U_;4(7%TfhNn#n)LVz-YqBzR9skMmzIVzI zzWY|Teo+S{Vly$mXVAPE`jFZ8ycYF=S=G-*oZ_3pj%zwO0;jM(@}cpRh%zo&ljm{( zT#1Vj$Nxjq42n2V{cf^nJhYY-N+pMZRA(++h|-LS&*Fw&%Z4ACz+`$Ye+WcK<(scR#!Kk*Ecbm#7zQ^S&xp zunBgaZOGqBs}RDrI!-9njta5RBKb1$5mcjG%9L&i1a-g>A51IpBUET*E(=#rTP3LG zePvjNWu^Ze^s6E&B3IJhIpJgS#frW1hvtKUOx1OXm9a9Y*i*K;;Tt1)tMt;82tZcl zbJH7POm~o#Ub{z32HiyG764f)q@C(S%3!r8v(C)6SBS1C8k7&NVCWpzFA_r+C3uz< zr+<{SgvmoEDyrx?*t9hD|RUN!CG`9mxjv42M z3$CM`b8vFXott>eiy2hy(MMd{)OlQ%q!>0+gRc@lz;UA%scNn~(@*MI<+cV5R+1W~ z|tgsHniBxfv+h zF8@kJVK^>S4#lLBJDS)yTEY$=kx4)H`e`drt*Ifcuh1grEVdXb5`B7ao^J)AF0uD5 zaGIH|BNW1+i?7)Om+BpquvD+$P_)@1u51ws;_;$fbcLd)hoQAk2AdH(rIhf8Ek}CW z$TQE2XN7%B3~{>HW!+4Po%%FcA2a&VLD2l`Dnzv!*(S4G{-JLE=_;uI)vJs=Xs-D* zI59DaCy5IILV{S)16`ezkDLjkTT`}ZGqX4c;UP+x6ij15ch~d45n7kXgz$T$@iEKC z=lv=K-z0(rsUXXTSbRShv)(pCzE>G`yr~If?0vf~_4@Qt{t=lY39A zvn}my81gFg((hlh$s;Sv+(9@C0QsiYk_gNT-)^AV^*|w8rl5ccXn?NJY)O0NUPk>O zm)nF?B~y&<&C~#nt#I)3CJFL&^}p3ssDedJbJ$JlTVmivz)K-Ln=jj$MxQ|vHFB}Y zE<6|8E{3 zby>&w8llI-KS{**G>o%D7Zt23`RRVsrVLR!T44QRR_Tt%0^m7FnE$}4s;q){RjY?Z zK+-!Q}>F%+1kTUo< zX|0UJ7wQ2WO5+YgAcxfSq{@kyva9IpX9|Fk{uyd_m3gnn>ndtoT*dAqZa?_zfKt;I zKos^V3!B@+7C_i&t^RaWxplZtBmmnwU=DXDC3JxIw=-p7rP4b~a@6A2d#r0@+n?3w za+9U3q-k(^1yV`O=fm{RaC!o$@@%%iU=+Fzin&Fq-H@LLP_mP>uY;EpjnCpIFwrQ1 zIpHwqXrea3pZp$4y&w>AV~0qoM>{us$yE$>K_Wi8(~S+76Pajt7Ii)NzS$Q**_Dy} z&!(OO7}{bqWQ}mJ*MoGxI2To@8YjM+Bk0zMcj~qSU4-o`Q?$|GNB9BZ+OdA~UaN;% z&u5D-lP8dvBOp+9lL31NJLL5v^)zxg{~Gq32)4Zd2_@+q)(I4+n&<~=)0o`c(+>GP z(0;DsDI~jVlD;lpm4l7XvUSeYc8>YtrXJslVI8A?l-ZeA&tm*Mt5Yuq8wq&16J5@x zOGU+!vrN`2!G_b{gV4DlI)%i$7|k{;K1yN+WT;$z4wtZ-?fzCg+F_e+ z<8sp^{l{*XRM^1c@tBXg;d!MvW)%!(0#MS{l&~-M4}YZ7F_ghrRph_tw~Dv=1a^K`l~`tg$1JMa5rFq@a@o$wElkMIX91nvh-43YLM%`bj0uJ!TwV_ zVKNNabc5tZK9(jXiSurS@=&sXYhEcpOc+!2-%2n`XwibYUcrwzOUunWHC_F0my>#* zVEu300LzRYtZ>UA3VejtNNy|!bTEuwQCP#He{)+eW^Etow&N5T^+G0v4Fkipk$GXT zFM-O?+|%Sf9jZin5+-h< zOs;CgA(l_hxhFLRBt{ad{)JWmjXG?zOMU}JkY+*&{%s4XE8x$)(pQp`V(p-0ys#H5 z^U0}bGY-#{n&_iyhSd-Mw<+jRldMVw8r|3TTR>6-Lf;s1C$#5KjoO!}=bN}8W7Jn+ z*NWbFwsGzdp=w7Px_(C@hs=wJmAhgQvE<7Ja^LyaY=I2=Hi3S`%Aexcdo%DF`gYPy zXP;^JeVG-*c?D2j@Yp~WR`~5pP#g=BjLU&A6&oKBzXh2YIW(yh_*^kS@mT_gFzStz za*ZTvv9yx{i0@Er?e$&{rN{Pxkn5E>{3%mbs20hmRFrh`9Smm|e4huMI$j zZ8@i9MDEW;_4CTGGziGv=O$LjP$c*kzv;gwLJm#JBPDR}Gb6I9`K{7N7mAW*px^Sj zIw#a;#ih=+cSoCn&cF}9#l9=!zN#v$2`f6#XQo!6X%Zq0g}S^}Ff10-wlf|l)wa8E z&(qZw!;Ey}t)XQ@lPsXWk($bCCPuhsk<+s0RwoH@#2Nk47G<#1nK+vrc(jTl5f${v zs-vfAx76gymu)?8^g|gZ?z~a!pa_yHcYf}o9 zfSNPlu?x2=G;j&O+KgL#{A~?Q5 zls+_}QWwk;aNOqO5Pt+XcSxzp-TPHE^m)rnzTko54Wt1=$ZRNh zwZX7(emoYCTRZH23MIkjy=M*JF1h?nCR0%o)n%s2|TbsSaB zo8`y)hA?gK`M8TM8{I>7$$%E3<}{O>9~$o1f%acY0&Q{Mw#zQ85f9~Fk;^(Q_+Pwm zb=kT|4Se>pSxMas2OheRvC_I76xx8lmO3iNsD0X9&dK_A4LE-QLB9y77pHVbQd{Wd z##DmsfYwRpJ~Iq0uMfY)OQM7kmq-(Qszfzv2G5m36V~}Nu5sfIfApL`9+Q5dsiT(< zqFnx1PsdA5bpH9n`-3dwS|L@I#mzrQD{tECno4u{R3{dr#K7i|Y-~q>VnBRO%-6@5 zVGwy)=wEveCz;Nv_(+WX#$i>Xo}Agh7Pk_}lGj=q9S7r$N%jY;$xWNjcVdfX`NwqB zcb2&2r%*a%6Le8!5!_Yw7<{^MU4;lM5gdb-m_?(@6KaL)Y4OoilcU4ZyvqCB4IUPn z35+RkO-dBE@f!+KbLM*?6x^g@_k>b_IgG984~6n-27~k4*0e7}&%eF_ZBkgNK7fRjmjZ1_~<;Jj6Sp6`_%)h*$0zmpam*a3jm7X(^cQFago<&ZtYvDuwx|#$TZvgqY3hi}4 z;-4(uxHJYB9sMGjVUja_5Pn<+Xem*knr#)wPBC1j>5>s=ZOgrPghWyyA;fYvCuo0a03LCCl%VzsHGRq+C}AZ0(k7yx0e0Af zg?)&bB1C_f^UW09T;Z|O_6@$Ut@E+pCG_*psus_BNKf>g5x_AS8ocR->QvRJ5SAyE zTO{ODMYmBbx!*z+$PwfAisnhrL6u!M(nby6xn8=+9&Pgb5>kk8C5>wvP3J(sh=ueXIt0fK6}_romNa&A(*ReCnMonoQ=J!QmiZX zlp(c%m6VKl({%JNFA{HjRHw4Aiaum^n-O8%`jj^V%Yq~yH`)+f){Ln7T`sJy`rT_F zxKPV)%NJz|vvb)^E46jr^Qt}Vw#3CY4DRnDezkPdLRkUP46x0F^^U^vpJLOyy1R!y zwZHSG#2S>(OOJw=IQq?k6DP8jl61|2F~kQrdcw1x4oq3D)%-`^<^gQdW7B1=GgCT5 zI_tX{G6&X~*`R)y%n7m6l!gwsX}WMELy=uyDAfALJ;f9k5p zV~xASt%8muAG@d^5$RWUUQJj%M=pxP`Bj}D!}(V%(P!cZwNbHq5#D91QL)fHK*9wM z2$~9ma&IhmQ`((KxM5(l+wJ{YZ|XQ#b}i)#ozAc7`x($~$LzIu2-uu&2p#6_33|yN zSfLt&@LSWv#bkY8sV!F>x{}r$RW_RCg^B;oyucmIJ-DV~0m zOmkp~=|%3vVzn1NpHHo)^1esE@pFk!#$jcwu*8sYItGE~`rCtM1rV~waHIrKH?eJg zBeFo%yr3M7!u8cS_NBrV7$FFCfg{Q)=qCVBgTWGM+gYX_==xw1T<4yGRJC*!Iufek z&qE3IxUT0qzURVq_U7aR<<&8@=0nK%S`K?9z#9|1bZ|z*xNy~WrR|N>WeUMC!$qJ#5ZW{$$l80 zE@Aw%OZXk7{%AVW_%oJ0r7&NKrFxa9+hv14wmg$lRr zgTYd1J?!xx8xuhu5BsLj#& zoR*vz2UjS*#N1!y(IkUM?Z3gjLbzD(eq;!O2R$<7>~Lt*9D+DWnrg^U7n^DoM71@Vj zUod`=K-;J+igoyRJGHY_pEMieU`mjh;I-y&);sBe)qOk%TusD!SlSIz<8{;Wy&6>t zfdf4*p4f4?5U8%;b-G|K_*a@8Ylje(-`d)GV@i~*ssvxMD@&@-%s~nw-B%5jaRaQ_ zH+b3Syw446rRxHJWm=?;(&1k(04UI&cSQ~OCwk6|`1^;qZh$Esg>QP59*~Mmcslr*hjs zhB?@$ayu`{j&;wtiEPW{nh}dO6no)kerXl#+G=;rjJP=u_AR|}1(rLiGldiC*s#&k zZlRu$jbZ=taNLx;i$^E+T$)g#-dio}#5UGzy)JR5cr5yvQgAu!v26)lzF7fDt|^7y zlKZIK^9n!}B$DsOf+K>>OMOfTnE|yeYFOn#k07q@iNa5?&mN&8BUQx{J@eX$njcuk6OslI2S~+ zw?XFKWOx}&mo88Y;H3GOWb%YTEn2Ru;Zu|J;MG^e<|Slx1T{f66XtpkYE#I>-LnDv zp9;IX7s^(JDi(Hw#$8VnYy>=hG1)7TV%j0CiChlV%@aK+S_gw_K{je?ofW6>aggE1$31(d zO&-?Z`N^g|8#g!&8+OlX+qOTT1_?AUZK)*fjjAM+CvVD7IlMK}WHzr)ee({16iK+l zJ}w=?ns8<3P;d`@Xd9xbr`;NKK!>$I$H;wJ!oMic(&xOaK7>DK(4E>e-}G#UM6=YH zqc_yE?_3f=_1a1xQj4gKRLjBGcHE|&kxlLRcAOCUKy?`<1QDD>)B{TJaA`?(`;mjn z-vJavYQda1X9?zxCG)vc^3S|T&Mw+Lobo&C*;^DE3k>JnpVdRTP~ViOZlZW}C%dnv zA`l4lot$2N-h4c6#bjb(~X>E~LGN*J)E3l!*$Vu6M<*{}#m z1Inn+be0*9YjK)DRZ&^>EzspN1=KiUWi*<>6sbD@2K~}WJd`aZLwFaJ6f{6bdnA5m zx~(3$jtXQWMjftn#8}e)dMg7NMLaz$cP#Y1C22Y&QnZ;o4Yh?9x`c(_$2;_IB!=E3 z6gABCDzWH6th~;}^s_EiQ37si9JPqv5R@?sjcnR)0iDH7F|Q#$N2H-TXyC|dCx<<; z$?SK8UFOhS=2()p!6`h*7cxpG;FOG?2xPqtTAA6W?sO>G@0E4fql@a!Ctv+6*qjq8J8&ThY%h%*;&PWA`k zZw_LjnGe21_DutU`h^&k2~*c1CO z0Hb6}K$RV%BeeB9@Ma~VTgoF= z03p0rafy>tURQ(@^kCY?LXzrs%_FeYapk)M8nKVHCwpkt!dZnSdv)9|P>fMnlD?~P zD86Y2C0xUtdo!q+tJ{-UM4X@ai?C}FXslX!m6G8}oT4kOzqlttn93*k^qG76Q!<6y z{dVJwwh!&g(frqK$K(FAy&Ne{0Hma&NrA}_bDnCR?9}$~>pL^c@%273x=tgYLHCE} zg)&nGVp^9Y{Zgqrztd*ihmxJ5z%NHG40l~9jnSq0NlhN^0R%lltw_v0ti*_}PxN7& zSBll}Yf4neSNlGuQddpID)dtt>@qFuy*jd%6mm4A#((U_u+U=$Pp`|7=GTRWYh@{q zl*5YB-)?)*sG0kTkpGQtFwYXRVjW0%jHlAfC;EG_b*Oy$F4XIiJdK&O{qD-83q#_f zJY=V%GPldexWzhv;PtCMp^FD_46(8hqXxlD4&Hp`FZSdy5hFiyt zX&WtO_2cnCS}o0H3$XW>A!$^lNhYY8OJOA+(`t}`WV%7S6slo@n#ENOZZgDJ<9qjt zE~ql5iXn2<0UxbztVCCLZ7N8W3j^@)0&PT$P{Ej5sk8o^)IgsXv-jW11b<@q+NG8L z`vY;<{BdoD1*@7_kI%2KbjMR)AAm1vmz!9)>?SKmx5{%in&2hvQgD{Bg8)~|A06RP zdvkS6_cVhYH^EG%m=?d44s)iCEJUUYJ#Uh|q|^7f`u`~ouvTuLE>)I&6=V0bYnFn( zd5j~pc8{Q!8FFUj1?MIG+#_nr&M~+}70gKqS!KX2v3!GAEk65q)lF9WtM}~gl16*wCQ;c3% z&W-(K3kbx!76KD8&w~q4SEXQy3|3ksVDkrM0Kdu$cpwjP#ZIYyVw(ax%lMLa)q&~= zYTt(}!p^pv!_ZwFh}f(7_~{-VAKcKI&{%~|z8D!P%k2oesk}63<@l8QcE<*W6geCQ zX|?L9SiPK6uuZ&XGQ}KL*i6vv<-;tXz?GWzpj?W~} zkPbG?)C9$UmKZ}KVzM@xlfszV))btQ2AX>(WFmg7cqxT1Vrsf~`N5ugltB6Y)~Ry| zatyk%l;xsUM91-Zr*6BgesjemK|R{hr5kTtO&0>&Lm`8}-%WEaUpt-jMY3Mex8tSK z;AnH_`ptPW9n>)r8$GFAzZA3%7_hY?z=g*F#2&8#uaRYQ4WyS}W3_d;e_PMwMm33w zulHL>nstBtDx{JsPH+S2n)_Ay0ebf3NXhbPvZy8tW*Vc%u&d|w`2H&ygM-E94t*{n zeNLF)(3v_l6ObZ&4!}xmA#Hc`$m?4XXKnn09{B?Xwb<_HF(^qre7g8trWK&zT^9c!Q`s%f}oSCpT-xU5-H zMPyCJB#a5eazv9A-)hn2LGJ~rh**&%hwubpy^kY*`HJ3eouS`` zi1I8ukk!2*BR|vzwutJE%NBR^mVAYL%Ad|&^hSK3t^fx|M-&gMOu*I#D!%lo+t={| z4;Aqac&K2{LCRVc=5qEDr`n?t6exdKBNh2sww9hIEJKHge;5nl=Rb_)BIp0bSfb1R zgRy`k{#{GV3H=YoB38_hfeTHx0Ff2cue)8)1{(63!X>xk=8uLZqzT&d`{n%J`qvYc z$Q@)c!@PT8RVDApWKG?ZYU3%ZNPC7EdiJ#e0d$yX>bP_Y19B9jQeP;ox7cFi2C=2h z&rl#gk>|wO>;G^pYlyCxn`_h;mu1>_mxl@TGKn;1J%pu!@BP-a$;4>kO2o8lzm9#! zb4)T7YK&84)321|dhV)|Z!n9uc#NrP^`gXO^rivbrK-=dLL(NZ94^g*KKc422q}#1!ne zkkmcI>cg*4d`ac*;xKY>Qy;F)Y}_q-vCI{ag+ zpWV{!-s88=Ip?a&chiydyJ75f3+WI7sx>L$m)JJuj5ye~BXgMRM)m_ongC@~TO(c9 z(6?LNT?AR{HX7Sr+6WgD@G9tjc{XHUQ)qRkUM*EC=;IQkhg!*C`MIam!c{8{clKwr z;D452sT7z$H84d;!l zVF}pkkgLK7g2f8ux=46dpa>{pLRa+=-$+4djuxkf9aEdd_nAe}^@ILkp-JU~N7QM+*f$vUe4$hBuPJotfi$`pP04HCeWf!p zmJ>Jp&E3K3fK)(jLYci1A0OnX{CR~=b4=8HhCX>R{^Oxt6Qacyeg$Ik5zosz#pgB5 z*Cg+M`1PD3YlbFLW*J7~3di)FQ^yS@RCG`&7;HR+n!7mUP1mh(s-p(u4BmRn*;DO&)Bm z1CVzFE|M#|=xL{8aT;%AM}toZY=;c}0om2M3U$IRHWT)j)64pmr0=7dm%0kOA6g} zvxN>S>5fwtY-oS^$0*$e|A$d(Yr~ZD=fn#Sf;0b`$ljNvlS~jKmjA`Q@=rxNiegfO zTJtmRdOwTj4UMoG#hVk3FVYTF>!U$ukY>nQ%=hgfRGkYS1X2?Sz>Dl#Y$HG0yuJlAAhu&vG5@(oDY~$lpn<(yLdWbos1fwS|1n1s zJisY?q#*#;I6&C@gRMQ5WFye<1fC5yOhIw<`r#b~<@{{yT!S~rHRrz6vTG=$(ia284zB@m!Ee{ru@E_<8++b$WD0^g8_}L7p5QPRizdJa*csxAB4(vBZ z^Ww;@koad7<&UNLy&#lD-KhRsxAQo4d_aB4+6G!k)EaIJp|8*Z{v5O3DBr&)`h1pr zd8d{`%4W6E$nNB_ z`>+3tH>KqFe(b4!hs0<>p;1%Pd>+nnZ@F5|a!@f)?Cjb;7^%<8UdopONp$dVt=ul> z?u8k8fs;#%uyd9i>SPP9F^q`|mBG^;96Qks`wCrzxPE)nEdsWHGAD!fC;;QDQd!Y* zODlJ$#d~$Tr3a=a#_>5BWbc{zq-rnx$j= zVO=O42e;EHFiV=EAAw0q=ZjNzsH^OJ{aBWO+#s$xSModkKs}$fKRs=Do{B?m!-Jcy zZBPO&?S;^h01PRqJQ}!LD-pvL-!9DBaqxVThz#67YX3ZhI@rS@u_nWT|)cFPg&oQh>2!AkW{%(`6<|<2<##VwWspF#NNyk1VbQ9uM6-)^w0ki+eOjFO< zPd9{S%Fon+2wc^{)c}wOc|lCGw*I6pi^Gu0pH`BF<4ZnHv@iNbhg#yZyd#3#V-7x> z0(YW%xkNlTEgJ_LC&1qFN65$=XO`hDoF)Q8ENP^l<&XB~tk&z|ZZ9TJalEzKka87QLYCd ztD{;r(nmuEDi4q=m5OD52d<6-fil9Y4D>t(E>>y8LqhB8;NpW0W|Q+kGi3yt6ys(4 zr;{w<^7iyN@{EX2r~k`zosjolcg3uUA=43xF6~zxr==1LIZDOK<{u)Jwzw2FhkNgD zxsMG3!#2N#{(LhC`84^`RJv=~90~{xZI`LVneX@~8hM5@@12`$n;X`caz&LuB})?B z)JNR#npgyrMVPIH?d$UtqV~%J@=?Y5mvLosDSy2i;heNh0`|`=r3kjwK|~7O&`4+g zUEJfQEGVwVa*L&rBSQsE9a$AJPpjMoZT-Yh6%wq53Vt1yg=Or%0MFHW%OWldMaYR_T}MD0gv9ZO+3u8=vbjvie%W2RdYqF~w+ z7xX_gfPtM|?y(Tbny#2b&+U8DG^4$Ts2J^QnYDVgjG56jgQ*lv=~iG!DvVXPqVSY2 z@#zs-5Awxm9_*6RP3&V2=ou9ZxxOinbq?30)r-HAUoyWfPG3mW%fFX*cXyrXvJyYK zyZqrYzL#m!?!WE6bd{DPNC8zp`KVYuwO&S zQESeed&UoUB80-fht#q*-P}O+=UpCc3plb+JRtTq{hdo0BOD7zYBb}I>le0S=tcDxM z%4`yRChn+Iyy;Zn!4WciO{wVxF$OR{jfHesiF@`N^4NJI6R4q^wU}*jdN2NIusDd0 zbK4?)Sya%m?9H;W*~cki_C#|#jE)ghQ`GVzeiQ-KdX6MgDW<<1knQgj=TsjIB;^-na7nZ0@0^w*IGv9@!wB+n0TvH{{V>#P-=jUkE5)2RVC8 z5%Iz^%HY* zrVj&hruLwcif|ZTfGpx5mSYZ7tZwJ~WR5s*RXe3~FQ=_KfCEr(=N8To2iGB+7a8l( zlUvGglSOVejUK8FEAdO(zaN^DAco8|CY42BqyM;5a#0H~+5=tmBgJS<&=AduV_IZ} z^s`V3nr>nZj07b&lWQMv7^?QV}OUnldqj_=9j*p&bE<9)GM@m zJG9p>5}dmU@?BxOXzmRbMM!sNlP~2-Hm&Xiv{PqVX0X_3sJx`|V5Zxh$TXdnw_E{KxkFFIZ~U-VQwZ|>9jWW&l+zBB?5TL{YrB4s2hWHTjl z>QBeyp!njgIv|dk8Or1pUiA&@+vFRss#9Ah(?V5@gd7!j*&3jV@c|e37fUi=5-k=f zQDNn6^*-!Z=>V0V2Uw(-{dW}SCW~M#wKaK)9aOK`Nq)EC{XPC{VBcD}2kU9|er%`G z8}E0Q1xEjU^BMZx*F)}JpW{^ejQdG!Fm45+4}d=CPx}LUW$B3z(3~29!Gb1$9zlyIRT@Nz zXSOYhZikmV`#IWzhBEsh0qvjK;k~($8F3_0IUbqNoERe`L+<77__Y+{C^~r{b};IH zTiYWHiMJAiWB5^>=Co^sWb6ZRGhQ)`*+G~`#8pAhXv}O=(Jq_WYDS&7-F+}+|os8HE4wW0UHvIz?ZKcLt_4losvXWQKj4!iBPnLU+!jLdt|EO zEtibxdC!+PQi2L^26P}LBJA?UiYZhkoY3>!X6;H1r39Qd@h-mB3X2JxOdkmtxu-5-z?5RbgycsCB^U=Ri%%XS(Mk;D62l;A459YBB8Mi;##MP5 zbf>nH#NxM=e)vKpVe$1ScEV;Y(;u*!PZ_TmS|@q>`RgiLYB>Arq9Gr;k}>))nPx(c z1v7bv&7>J%UBAp_`)otw68Mb^&P^)($vE-@aaig3 zYRO)jq6+~_F)X#4qJ7mC9mOYNGB+l!=TySXH}N@1T(MOaHb>Vid&bCft3vmJ8W~7D zC*ne5yp~*-!BHljFfz%tXd!3HEp|oo;tfVTb^WGYvH~#bW0@F@IV#} zr@CtO(3b* z!|~Z3r#gHkEr&Y%Pp@Gvt8#Sp>}+oVt+Q#E&bD4!TgU3Nl=dhh&#ggeXE(*Cm6`wH zG3S^sO3AtaEtTx`Tq^Oy83;+*8ExtENRe)Pt47$mYppAFy*wM`$cBeiYlEzG1ikaB zex7QxZ^xCUy3Pr*MmNYB`K29X)zvlzWYrcj_2+x{rEHM3K<&0)DwZV?@pc&YIbJdL zV<*f`v+gqqam(bN?H=e<^Uk@JTyqZoZsK3AmTA|*o!R9ZGF>pgY%Ta9{X*y@#pkEq zv{S3weYgC}ZKea_49|-6l(pGQ=C5?Y9+aHZB)`WD$->iN1kBFV(?+#fhX0&RKcv7< zhZV*JWFfMjeW!T*`9iqrm74HPCFnJ7rW532O(obR9b4_F;t!CHyGHtZ?HlCtX|MZw z`~B0a87W0HuNGf45i8#sJ`?u~>C5r-HzND|xb`Vi2{ZG;{~YJ}ZGTeh{?U7A^D2JK zrvw7nBXs6loO=XW9V@9^Oq;qW|C!~X^uqrIkiY_~&b*7Q@*y3l5wd3cC&u7)klQx$ z72`BP_En(Jng4l{P7V1Q1p4Mud}H2YB8cD z2O0)=wfPdY{ZjZdC1OuIplm{)%{}e<*Xs z#M@El5zjhn6Zi|OZWkdy)Z2L`A~}a=&ig!=mM}FiyiszUM0YJtK{JkEE%rDinixW$ zk_7LR^c@0J-7136$h6bqKpTd*U+|$ivJOk&s8flus#6UoOTDU7B?pa#LKT%sh%8t* z+9)3PZkOzgS&nr8*-(Nb%kN~9yzJJ}`K=&(@&{@oZFhy-w~quo$G_|vBkU-NEI-a{ zVhC$sMHG-54o1K+r)z6M`!97Q_+vFdsSBp|bQa{c$CH=_$gc_|lk1PHI^yV=PPO zS;bZH^Rb{6a$H2Z!`MXVw>QVruTH%dWm|xcz+gM2m{se;1saStAJ8X-xn=>AGbYGb z#Q2c5gxN6h69LU$_(F7{;@J$HCBh@g&qwM)1xn9aj$S*|=!X=SR)Ri?22r02&9a7{!VBay$`V*cg>kE}b2D zZhF|YX+%NJ=gthwl8kVB;aaW}ef|34{M3+iP-e!wbLxt6;17&UyFF{7R!ccs#z3+H zekFXnduIXrL1>IxuBD}x+L`&%(@HQlLw7=sK4Rl0b(DNW^F|h{9dK?tr8pe6lWx`Z zjLW`dR@F!%rjV6m!;`1r3OF;QL&pa3Ty_#SUX)vcF+mZW;rMsk3hj?b_V3pg`6~$+ zohaK+5M)0fgGPgVA}G+JIK$FURnDglH!sz9Mgpt93s)ZuI6ES@x`|FHvK92eyWx-n;$c3qBXw)HfX~U{^%rFm)Q4lxo<7WYEEBlf{ zM17bT2I%|~m`DaG-5u7&IvK(a?;d;YmAa^qRpQ`ke)>%bv3jxC3(W~WQZa;6MeAk6 zm|qpVf6Nr%El)D|D|I=zQyPtZNvjvXfZ^>~*QY?148J|!K8D>%-)G%l$j!gk1)ZPp z&A-bx{3l}lj>+=wfLy2%K39w&sJ``@K~-B;ZQv?&Bg_yhUVV?n@+W??3eP?Ae5$4e z(n&KFGar{7O>xd--PhX8XwsdFHmU)xZ$S(#q5}#jO>ji^q;))`NIgscE=zhe$X+U& zBxy6%aPe{Wj*H=I5cX73RHqVO9Q_%88E^0}-%(*A!D)%}4liJLG#~c8gADra*Q!Ca zZ9Oc66D?t8XU&frb<5?i?bsU2<_RgETV8bB`BSS{RbC}tU z^Z2VReB<_b9DVeQ6xMRPeMGq4>lD^xdtVaFfb36?n( zb2ymo`DRasi*fLI-NI^(wYcsmc|yW3d2Gtz)ko&Aw@#&a2!g_Rq{7zaROk$NvK76h zpEOk-0M69*0BpVC#gB$!1f@(y)7rx?2~cS2H1~a6cpoN#i(Ljd*Bkh?!0~gC{|ywB zTH92!Aayx*_$yOiNqZP^_dHD7#?QjX!}pi>`;iu^DrZmSYqGrleQ?{QobDrPMJ3lG zf2GTezm`7mQq8xg-^)jM!`Ct9$MmVc+dPZvcp?_*+)u>q)w$@+!rXzf&Gk&Xl=RK3 zSpMZmkrh@Np*FY$W0G5|kMsNz%qNzSad`9R2mxsiwPfnJ?FG5m@t(WKN z-we8sPFm6i_izMU`J#VPDbhw7r>WHIY_ux5_p1RS-Ph0o9B})Tk$wT0)WGrgF9^+^V!z~46CttT1*zsS~Wh8#F4w7l42Rk7>mhLmVnq;94ROUX`J!rtRHKe1FD4L#38=5S4^`+ zo(2R%!i2pZoCp9`dtcXVSzkGoO+15X9qOf++EnC+T|qlbQYs~)&g*x1LECP9>_dX@ z0wXXeFx(3v)F?c+YE2v$z0K^OS`m8A9hE~DM@L)(f|<8PQH1!9SyQv7s4-Id3%|5H zt-?ZWO$jgz`?9X4UKMzUBK!FejoiNk{M`nJai#b)Tx9YPpJSE78eYf(pE-0I&jDl-@1m&il>2F}Z3Ko~0*&MD~lUu+>*Ux@=ovQw0vmP1R9G+`(6PB+d!Xv;#RiF|`4M zrA2c2p%l|>%q}4J($#YjLz9=zvnOf&Cx*pUZvGges#7xV1pO8EB7D;a(0|?eDYDX~ z`V}q_uaxU+tx$;=y+X?mQy@1x`}P640Py9gKo-?&L~$Xm{m0H52HCcS>FE>9cz_u; zQ|4K%v#SaZTmh_7KD0?brxSAmo~FUH2{;Pa~oBL({z zh3VX=%?1}kAnzx0Pr-$==Q;Mv$PU`STDky;Q2eLOD$ot~zdCv|?s3U#i$ul5>7NpU zI6rCDhzd@MXfmQh!rW;2MgW@FE|;G+tAG8}mGv>ALYV)Fz>b3y<2EU&YJq+m5VHtt z(@&iBD80#LMWwaM8k)adOq)4RHIdsu(Q327uhFyKM9sr-UHz*j>}qL z68QjeIH8Y}Z&)mz1mL_>Qm+(GKOjS|F3jyLd|Z5>~tp-Xc#*E(v~VKpyGeWE_i{aBFgQAOKIkw$i_3vfTPtziguLaSGT z=Tpws2kRq8>36kKUO~!6r-hPlx@mFZGRM-P=+g*%xZ;=(gy}bq?ee zd-RG;Q))HJ!`s8ux=n6_mXUWsI@NUwusSrE6FxzkpdXiZYHAyQeF0^nEfeCUm&>G_$`}a(6{7o|9R=h{^sM2 zGE>{t6q?j=IFe>U%%LsX?`n)pvQNM>rFPTy0?Y2^a{9yyCJi}F@Oqc?teVknk;dra ztP;fMsM@O=L62r-0+X>Dl~!j*)7{nb&e&Qod}dgayw|(Fu+IBt=Atk@s(A&PzdnbA zt!{J%R|H-SH)}6B`MmkX_Q$IR-l*jEG?_)Z$P^u7es~AEK$Z*JYa=?wp=qXD#fh)% zQqj7}&dv4^(7gCccBXm>^A8_#It=2+J%H>nRXHv`!gq5{ru9{?{i)V`$B{9omF4ZL z)h4cU=jycf*un*qp(57UT$q^(aKUYmDNm7M8fYfPZ^aaOWf;aS6Bs<~`gw%M)p4r` zwu>c?i8CMiz4HakN^DcFDKY3vHwNiRM$+M2$1t;pt{hZ>7e&@>Ze-Vdwh$M&zD`Lm z&aQHv3;{1K$m4YG6fbo@v6@iVTf8PaoJflH4=E6or3W@ota&OJ#+9mh$U5Q>u8gE;jr?-TEEVm$D^RUe0Sg4uSYkd ziuTw~w(bjBQZ8uu_sf?J?Gey4ZtpbDE$y+KFuiBqm+fc0Ulp70I|y*wcrR{zB)pz` z{CW6aBRMZ-ZWm_uKFG$R-r$W{6l3rfRfb*!1>??JBud?N4E+{AmpOUaFbJZ6YE38R zG+8(=I-YHKOiD|_I&dkdJ=QZQi*=qeM`I|!v`i;0ZG?g1tU~l+)AU2=8z2fj#*y1 zgX|*Lkh}nE4A%R(0+aZ-W`roAT&R94Gf^o?0)tXgR3L{QJJ4COP)?p~s!>UXYA>%O zD7q-CrF;0e*TEN-lG82>Q6X^|xI{m6p+$mChS}pc{^@eB=xh?7c@;Nft$@B)rPFqC zwVsM1xVoM$kT(AO2ZjtXIdY)8!t`!C!RV#pkC_8;#lT`1q#T0aG#E84v3O^n~NFmT@tm+oiD z*(m{m6+qw0<^y}|vwA9P-VIzhkluXG4)c++7p??8b-*pkKo;x2B3JF9+Wphnu$d9n zvr`{ljWI^gWgqcn23%M9wb`$CONESy6@Bz368kstfevBBI)|0#&NN<_br^6|@MaR^ zDb!@v0&VY=Fp{k}C?1ss7HqBH`-+Pla1&1ze!6u*8dY()(I_pq*3_Fq{}O%S81 z=e5`&kz$Qq`MLo48zarSIi1cZhvG(-oU%O!fVeV&j{89e2|u8W=3uiY@l}V0pEZg! zwxh?}^k+snyMeUnF6Aaukmdnr-@(p7%QT=`E`=7Iw|N@(W{BdPu1-x7|9sUoBEL)l z_#LkzH&D5G#qQd$v-L1`*RY$DN(Q15Haa_{I@Xg4$wb_4+Rr^3UMAS9qjr|@nwh?gA^;Q52>Pw<62mQw(=s6hFyDH3@e_8Gp2L3S=`qwJ-IJ>enOxOjS+-km#^%&r$K6kRye1bbCff zE~u~eMM!p!#8K9LgO^eVsI#R>aCOjDfYX=#y>IxU!s%Ul`dK=JNV8iOI7v}?Di8gl zn%;2g#+w9;YvrDhC+Xn!U~2AxdAeP_JUtSiHg}PV@w(e_Utw3Io#>i{r0ix7<8ifq zu8BRViq-prAm9G4DflW=E#p|MNdq~_U=<*XB9b~>TCdb=I6(?Fm%c=y#rgOn%f9-{ zJkCMEooM}LNJQ;e&G1FxP#pENlo{{y^Y$sP=2m|+i?g{`I;hKp|zJA|)Na|G1$ zh;x(@KHy9@ioU?I^X(q&HVr@KrMzC&5F>WStAW)Z_i8lHJaWQNzM(7eN59ncvJ z6txFH{_w60duy}Z=KT142K##lsQ-9ZsrY6lqV_IXBN(;0rIa*H(OA^JseuLxj{l>` zx#t^L?>M2^%~>3->{ZnbD(?EEbxL^aCt2A+_nXRC@BiWJx?h=2E{7aJDHuq$R)74h zAsLb83ZLO|3;a4i`RGo;_}yFBP!Rv?ghp1q8YygE%ldAzl}>%ESE_$(mC6-k+2|%| zN>1Ksl__3wo%u1sqx7fcBsFzS8AXKaWyGalL zQ?{4#q80eOVfYRxd@te&4kLMyAOm(t3)e+%^uBA9YMP2D9m>w;1~i9 z8ls=uu9ukxEzE5Bi95DFw41DnAv*GhYoQ`#g!x+X>>bazk?_M9BO>R=>6Ek_DUI2d z#y&Zro!$o9j?oL-a^WV{Z%Zy!-vOEoAR4a{zzlt*%7dRn4U?+3Xog`(b(Hh;N;sUx z;jz(M7xgrty>yO&7CzVLN-$KEcL=wGa4qMb6yFYCGP{s4vc=hMIT!=xihj7DFghVH zl3nY-6=M61cQp-YGRZguhVHiek}vC-za4gibt{q3l4%b22R{qt(M>7hp!Y6_W4=lO zv>bjo6%imZ^o4!R&?nmKV zWSniNGZ9>PP?Dk0Q6IMgp0cK!!j8N{lgJX7`~GK~^|gvq>suICwjepuR++R;qh_q? z1e61BBFr{thd0I(ZCW&p3lC#=UlDib&@GA?7T-t((sp>5o6>mVj;`j@-yvj$(g@SP zhyR9Mn|sC2n*$EFz3{U*?!NNThUwkl7NyvYy0<+wgq~?V)bDQ{zQ2;nh~ZN#2DsN& z#A=l`P($P;y`s=PJq(hv z<(Cg9<7qfA!&wUpVSK1|ZA8Tf8Z3R}(%_ybDkmfRVvnozp&(jAWV!~PiT(PJ9NlrQ zkAY+#S$-~GG>o2;-d|}Px)80r5#RXnP-)LfcnhVdg?{1T9ns~YkrXS@%bP$>( zvBP0OzFo)7;J|vEammxKe`w0V;jJ)x9pIf`;cCD61&K#br*SLvWCPs2L6*Cp$w4gW z_t9Fil=DTDvHB8+K2&GI({K%hZCH$btO7_>0t3X6`n(M$xI@<7tRqnVCgz&!Tyc9fz)DEw>Ti;zdyz=G@pCiIi$ea9`_W(Qcj zrTPJf+=g$n1{%KmGGnP=@BHpqE%1|b| zQ*pz?==_Xqt4UipX2~=sO_(LL|pRPI;rxfe$no9&^LT zkEaBqL__%V+t5?vT-x4gcYXO~M=rf8-ln;HG_*tY%iN<95juPyFFMG>=iTMO$Av@8 zi|4DPWsnd$)!B`Mi!VXiV~hB{UT%h066TiZb_+yc!N3s7yUb=N$q!l&0HGI{{`Y`) z{1P~AAn@-eaNXf6(@ozT?%%RS#Mz?_XGc#Ii`%Avu?JGKP@@QW-ObOBX1JO=SgBIh zKmx~qqB#$`fpo@|TzTOX>hN)ppS(s>fD>_DjtLWGy+<*hJ|Z!66jdO^pAbRuYHW=ONvIAT5^+NaQvfG8E8#ujw6HoKX?-Ub5@k>PKyl zzH*Pc&ATCs)U*0Djqkx*-yE|w6j^NIJG0U`+oU0W9DbDBI$xs4g+}u>Fegx9vJ{+= zNy7`vPMBa?ynsV40Usu1tx_x!Jwy-f8Lp*QO{DO2nv>Af7WF9fI!LuOjOF}u?=)?+ zB#5WX$Tz3}JMsu%Pf@SAclO1{>10pDvD?WhH+^Xv6r3?Bhxra8U^N2wd}a)<`@;U0`qr zar%(y5~vT$t{>V+`{mLo5LSwFCOio}OdV+Ms6f~f+>dbh>Yr?MmK+T?8Cx>WYg;sE zzHByG`yhB&a=JsQM8k~`h&EyfngJddk`Uf`E|n%+P!^$L#J4K4!k|^A0P$Hll^H_Q zv9|%VVBEK_juDC*atR7+rr~7w0~;xjo@az2{&S7cHXz3PBPv!rwS4moi?%JZ%L+6t zxLFcAV1ot4!9`3^NazKnMKB^xkOfeD#NqGBp8;%tn!mn{Y;!rbb-Ov9zi4s$G#Ig5ES66pCNquKZdygu7u9Js-#>ZX%p*w6(`3NcAK zRERU#Y-ZgltXgp}d4s@sCu^+B4nU1d72LPQ4$Si-C6-VFMz_l_Z?Q51)&(gb59TTr z)sQNWQe0A(do}b^b2wHy^qaX>vP)hg__%7L0VS2|IB58c_~8Lk&D$8I0V5oM8zqj0 zeE^65N^u?*RoQw(5QrPi#Vl$B|2ESDN87BQ*)w+-_R#C4n)G~q3i3k^v?^zBCl962 zW6$xHiZ$k*fPpB5QnH!HjJ3m-;E#zPxi zW(`M|WizVq*AIs|KipmNi#yI0N|0SuQye!r&YfkTU@?KFWjNBWd&a~TDtJ0y?w=36 z{^LWR{rJ$9TaT@sJMEADTgy!6IIEU89ZJ_<2M5IxpG6FY&m{Qtqx`u!IQH52v%*!s zu4J@j2}q4ix-&SX`J9W(Y_~UIFTZt8LDA6=GwsvFVj~ao0E^hZkf;4-!e2xBmGxa} zL_znrq~#Itmh7d%c^B>u=Y+>zewk)5%Xj4*E4u(SCVkHbSTkq zVv#i!NFt<W;Om$^ahv~v z;C+Tp5$CDoVRif}v0GWQiDSN{HE)qohkM(;(R&0}nhi=`qb@uJdkyQMkh>^TVa>0q z+G{=1ak8-N(0U<$iTYxKRA?QICi7Y>I*-r)RW477EDAOMvvwVro?s)N&bEiB6G&wZ z2XSe?x(~Yuy)p}6GF zy3|c7q>Yu?gv-7-1XpGjfGu$r5DA6GxYy62Le&u-y%-H z{uu*_xSbszf{y*Pv?42}DG=}#sRW_iL`0(bHlZRNhT(N@2k*##qMVO@IOCI}uM1K5 z8y03sM16U+f<<+=RD+n>Pu0Di(8gGnc4|bB(;8;PLHa>M1olL>i2vg_+-d$Vj>Fqw zWhZ$%2uQ`eNm8!HoALiR4##6ZDNgcX?vxRwsMH}>?J_mfIAV1WA-fQSQ~PF(`Vgp} zGXX>B`lUO7H=|_Xov^BHR%O%eafoKHFqoGa6m+BFutaJVI46UJTnv(=!plLC5X_|Y7P&10A zro|V@_}vn17A`Ne${9%Hzyl9;!^zc7>Gnx}-QhtK+HzffoY(mg4YydbQRLTE4h@>~ zCI>;|N5cv3nXlV<91V!+KwVCw3G0*!XdXEM=I_*!56Z3<^!I}ds2)&oI#X~0hK+=s zLTr06z5fE_1L|o(h}{yiL4Kz9bwwO**q`!DrkqaRzFb||i69o-K-?sW3G(C& zFS^hq(j;)O%YB$qh;-U(V2rr;LbdhR_;tgs)jDr@AFHMfF$$DxmYRiF+t~Ga!&=^1 z0a`^V&e)ge2%zCfrPn%1^Azcw+bSOYkWn~A!~&l zkPIHfH+uY2Hc*m##e^EMi^Fj(j&P4gO_3j5qV8<}m}VIClRiijp}HIkzFX-Z_~glY z#?blxP^gh_E_)fG8%|idcvRuHnebAjaNquz;PH|62Lb0D;KW4Wt+Ngod;EXIS2eVw zc9d`qQOUuKQKZ0qAWzTEs9v_XK$&FK{n)Y(?o%zJYZE-;)!P+JD;V^J)|Iw~DTx!Q zmH<(HS8e@q2*gfR5-NI;kL%+j60;tE73)q z&PpIIGY5q5cJN}ziu>Y$4e#%ftOi23$3*ZBJcrfGQY+T(;`>H3=rtnYbHHNmR!_+| z3*LgEwvJWJv@>p+EDyVVEHOJq&7DUXxW^Q`4{!(V;07uh(BZG zSE|47)5EF3gU6yaHJ2%UJe_Rxu0f7(zr1WWR9hkCnXdg*hA3P^TyTBrV;9J?Wb%mptUQLGw?` zstuz`{G|`ZNY)za;{5x>rKkaFjgm!h%%7bPW8mZ%f_&>`(1U74P)W}~=A`H}CfsHK z9hA?gTU5@F=Yr{;xzULUwOyK{LQYbU+7F80e0c&LqabSg!B+t#+I8hO`b4+4;QOb< z^a3nu&V}i8lYm+O-Q#mtho+iP2By_*=%12TszzSm%*+JOt@%6fKG*U(pPZ~a&n-Mo zZdp5^^95Ve> zQW7^x30b2-_4HRVm>RbE(xM+XX>s*gt*AO}Gv{sQ3U+j+59P+F=zbT`@7&Q>q3C@` z%lmDJD~_1nNToSM$Hvtfx!{acVw%ybi4j~wiazm%35qL!xDEv}M}1rz-XHJsez`4X zn&}H8)hQ!HLP%_9A-oE_D^2m~xJ{U@YQ)k~19pO&VVg%L{&Dwz8tK(vv~|6*9zIFS6_=$3EZlYfnbO3id1#;Plw?_|Fhx5xq-5+swi~e>$jk&>KSU%XQ zEPL4LP=?PE)6)`A0WUZrYac{GCT~Xo4)4YNxx&}B#?H9sHnaFl*P){K5IxokQEtQO zh1f1luo+tn1MAlzap+N}fv~on)U~kf=gYk}%*e}IW`C&}_b=$o0knNV+4c{pVU=BW zgw`V1@JSjZ%dc@{ajDT#?NclS>lWz03-UrQD)10e@fz7~idu{4q3n%l5gvHMG5IRz z%|pv}Wfz3j%+MvHk+Sqr(Pilc@q~^e#w<`P(llN8OhTui&}*GCD=Idy%uGz`M|cFc zWfkc>ZFUZzgJD6jw)tqE2eAyvI&;y7#b5bI*S|~EOQ8@(t<=uDo+Bl z0ra_!<;TCRJ~5LUA{lqYsX=>d#y?tNwf}eCy)_G=JA3#UDu~{Zowf#Xeezg2A!p{L zx;@b6V_5jH{dwHW{~C+v_t@GCJNJD5pXH;M$4VJjMZTI1Y6Wh5?FLB%uonaBLA=#( z3qFr`Gpf|+S*hMu`BCm2Jh?wCMbEli+3(OP_}F>*CnpyVgYM|X_!;q3T%As}23Mnv8pyWva+Vf9XW=?s6qaBSeEZ#C0T$H$vFgnO+pG z)7OW`_KuuW#YM?Nm`N8Pfui>pmXBWP81Z#Ua`ci@_j`=WQ)doPjc&Y+qm4XqVNWk z-Wt_M1^pZ@TZ#maL&*{1&VFd~^A~aEo(MJPr32(@VJi9fe`4-km&`wkc zHnIz<2v+NcKa%~4v`xcM&`4TNANv40uBD@E#+mW38=$A`?VK(RjRO^k_vAvrd(_!M zj?#CMIXct<^rs7=StjRlOH8GORTpC` z10G~X(^XMUZE*6E=Mr@GHc!3QYN$lS`qVaRo~zDAic=Zf`Vjn~L5y*_Wo`g)?u@># z*h2!_c3s$GGXEh395TngZmH-IrvRw76rny(o5VLX=QCb6|EbbDMzK$mIvHE7s#t%d zKE;%*$(|JGG#7$rGo=P(Ih8>6_)K;pIUl0@0D4)`pkRiDVZE((r-bI1lHe{P-`1mg z+Xz)0gVdRpykNz&)FUZjJMDBTS2>V%1k~T8TeIHgia#hM8)S-O#8@L;M z927Gt!Be-KC`+_}ig@10eTx(Nly%=r9-xUEc-%2;Im(j42*@vJ^9JECr+%Ac2bmZa zj{Dl+@_CzoJ4E8b0+nR$eMH}vT9}l88jzgrOs=|M^hbWu{qW^1q zD6Mk}IqxD`24(@yjxy-q@(|!5)peSJ|48tnMW3b3p(0g~jLdm}A9mHO35G6hpK_^~Pd^vCwoya#`k z^!!P{d-N0Hs9i(0xMzj2+R}3psPgQATsAmn0kJ4!w%99ne6YHXZ*}AGE64XJp4X*C z3WZw5apfYCi|uvxWV2U)M|C|?;x|y9Ny*7qnS$tKZ+JlR3FEbqg5iU8s~dN}T1UnE zT(3G_jIDB+ycMJVE=?k2Q_{xn33KjYt^lgnPanqbVM+Jeso~P}cJ`ds)w^$Q{d1Rb z?WyOio^5lyJPwsq>Sv{%S5@B*WLhJTPOWgnS)p#FuNKHext5Ve?qu0OzZqQbVeZX7 z`)i&)=$S^VwA}>c+cr)xzXd5N(gr~+_?e?TR71VysBXG z1Fupz)he3wzVds?v+#-S7NF0{-o+ftk#GI!796=POgNDCzH&?@^y!wNs|H_Tx@>U{ zIbPl|eBH>1I^>TUf_$oEVt&rB-Sh(2SF>^e#_{L8CiLbA1#u$ZjHD;pHuG4BXYpPJ zQ)n;xtM9AiRMNUTj>Mmz9+nE;8g&V; zNyvBSpOaAExsY>XWDI4V&g*3Jl+yJNNr-gJ=$$Bu6Tm+N=1k04979<>V_}jbRz9;U zZc>xX@*Ys!U*P09yiqZ%hLh*yQ9bJ+)o&phHNDq_M7&Zc&3;*RDBkGqu{ykTep47^ zl%m`qls}fA_1t(O@&jF4&(bcr7c*||) zl0AcIiC{WG@G;KK<)3RsSR-XC{*!ZLv*R-^}<1b%A3Hf{*9MB@a( z`;!MAC*=ySABDKZpm!8;r2}u!MtE)Nh6`^O?~cd8gYf6Awhh48^LdXaY|fcw7HyAx zOZX4ox0xElRNK*xu5~%84Oj+^N6-i3ikQR$)o*(|eHF)Ei|C_hJa zO6MpWUd~ZOr4(8}n-pgk%>@$sp9y4Mx;UyMUH|#rH7W;{;pCG$un#Ej(g;$cALElm zZ9AcD2Vm>cMjKz%JmxCpT2McK3sUHfK%VW`v>DlCd(|%%x*O{m8h=Qik=IJ%qD}cN zlf9vqexp9|sesZ-2p+|?3h%&qa{v7VaHMHyN{Cs$J_w~+-2<#Cj((4?yPx9e3;x@- z3g$?>=8%}Z+|Xhh@z*YUM4Ct%bA7I8x@z8JB)|3aEW}n(11V1R0{y>|*{+ByrpEUZ!62PYL zMBu807_+tH&>c_OJa6*GKye>_p{5V}-4|vp*KvBo38N-PTSLro{78Uq8U^8q=+zBz zj2BjR-Mb3X3QFWqQm7$27FV~>WG?%!Lm$6@O|Cy^;p5#RF?VxGfLa>-J>F;2Fe>k+ z1Q-rEx@clOIiUK#O)A!y6egx`=hshbKh$o9ow&uT-=d{SKqhYYqkXUYfiR``QK$$jSLs`&MRXuV|HmGDL z`*%WI+XSsdqqj^LWu`d5!S(G3RwRB}4r3}bMWcwau#sek4q-m7)!kJZPi~1`WM^!< zZw|~mFPBBd_fCHcQLi9VFi^_bBG$D57GP55_%%cQGQu5@56s8(uNSf>hm7MU(SP3W zQ!G#BFPUE6sc!ANO!drU4UvTciMW$_i`yZ)Y8l8cpX#GhjPJyy~tpj=9@2h)>_Zq|&8n(7j$>Xd|i zn_~r~ZR+qY0=Q6oH81XDRDHA6-!t#FF&5qZ_o$ER<4f^OlV?-4bZ`=^AH>QySI;KG zjOK(fYKRl=h%<7_#BYRs!+q!6jyt-+A##8aBg|s$DvUCpysX)`Zz?LqlB^^v)ItHR z+W(;%HHRbsw&Wnq)M`+-VK{mIt5T~Cx78`4y(UT<$3uSTsdqRbufW1Jz7=@>B~oMp zTndMm!Xf2RRH-?#JwthX8JIKkr4!0d5LL+m_b`xh(&LC%(s$R`hAqS&h7{K#b3x|Y z%4cJ(yD9MZjw$az36?hP$jl2@ZuL*urT9Xbcl)pUuxgS~Sy2a2qpsz7=ywk70l~hh z)O?fEvf`GunbpuF#`Kvqw!xknwr%H4+qP}nwr%UCZQHK=-+R@lQJpxa6|Hk(#JAU)d%mAs zT%G=H!7L;rxfACq)O5owRcr6)2xyzbE{y1e8>^SwptKP~?%gN8kV7O6OC(n9K71`cAD!6u zjE4DsTdw~iGqkGQwQ9|)OjJK8464{=^BI^}kS=?#{Heyc+@JUm`~o~fRYv6n-Tc@(ZdV&%!GU(L=G zDN%GjOLQPlD%sm*CCu@QO!SX_cdDJVx9p0ApR4w9=6k?gZxV(X7bAaCF~Ce=M}cQL zIM>Y;LARo`#N36y_Ax8us)G8C_~o!u4jO$>>xjMcI(N}{6JsnNLmiy9su;~l#~bC> zsBU|BJ?fxf&@VSr0|WE+F|t8VY;~V>g(d?|Uq6y}xg3&6ZVEw06iSSMV%;5Xm7Wnn)h>#H9~ zll%{F*ry>Wq<`-28mgF4H3HZLi6nfE3rYSxdI!Q#52gjxsbzqa=!_W9lT6njfqc03 zGpm*xZ9wF;zh`d(oD!5~9q-s#I|q+VW;ln1A@CYghW=PG+xO!NtRn!L)6x^2R)Sy9 zd|Kgh{jZ7BuFFrQr&EUMX5(Oybdo%Xt`3I)e%hUu`b}nBAf7<#2Z|5}2HFF-JzOWr7EdmGIDwDCrqs zRGRo1vO|f&x_Z5~-Kpw%Cw9v6pY?=~wn*c1lb5JpI-|xy8{N*OUJ#^)`d1ePca__o zOni+lq!=~(CA+}NBiX3f&N*K*AG-re03tF6pO*^h?vvCx%Jds{kON}0vW@t`Oo0qu!38ynR|&k$ii_P z>wX$Cr2<3zHoxB7IOl$Aok~nX3%FQ19tM1|q*~v2BMR_`U2!0Amk+S>513BnHQYx( zX<{;_ld{qaa7|8DOFi^V8-;*+vnSxyh>=NikLUdq{9X$akz7*Bi`zh`|4;XqdwNAu z=;6ZFs{%oIzB&ZxM88td5AMvD9Y@FqkCsd$O6AY+q!T%}PRL;@PfkrjQTs$5Bm@2U zu=3;R9$uEXS`B&3Pys!5v1Dih7u1VD&9bA*OmkI+USo*?>Lh6c6$#IPn;#!}(5i{N z9VUu4Sa2;_V1U8>q~a=^7s1*NH;xmSnpeb|7lkMVu$7QdW!5rPvZf!>-18t#+PGcF zTdhT1j~foq16S2eT~80_e@aeUTeu58jO7!+wv@eA_cqb2cSQHhxk^k=^SC?5O?FvU z=xLMKm`dNbl%fPkAuC!!D&@z5Tl3w&c=Fw=i&5vLjx0bW#v#5AoDLJj}hje`^e# zhaXn#4E9#WxjUp%E(Ozzio*Y<=w1EalAtUIc{$6&?>*40Fuj!Sw-T5n`54-kvJp4l zNXtU>!022WCO&~g(@Rd+#>YU-ed|MH^^~aev)@alvOD2Q8&x zpr?c1ghS0E{#AoQZm@y(FQI`fniq(05GjfL4DSG*8KU;n)=V3AMeNX5xO`6Dx52P5 zs0o;R$+;!5%Ba0>Z7PhQ(aoT~Z~Q%u@O50B+Rt)UjP5%vW=>z=?gw@cX)?H>pur(& zGD;$FB?8ES(9Rk{;sAb=>EZDacmkY?sE-U@_KSJnH!+OVDK3msUIsdfbb zGb0uG1jKac4+KGoAc;r7s6NJPCxQ^4$H8#VfL z8fL3jy{OO%?HF)#Unhsi@Nn~!gJiBNN$fXuF8=;051plOJ78ypau#hW%V- zO#kLv5fj}%4bJEn&b%L2+0MK_KdJ9bRj5(}XL=d=Nj4c9z2?@b1e=I%hnLKKCe7HO zorxzP{;Tp?pUaqUFTOZqv`$Kc;&S))a=Dv{(Cm&mxImCfGD!Jpj58tc87CvPq~{CM zG5DG)2MG3Np}G}_4MVU^>UmTo5M)u0eCwlF&o0=aSby;=Gu-eM>9k+zRK$Ax-?H6a z#C)eNf7H+Rtw=S~Gp1Tk`Y?{>G42|(X-@)A6#@4OXi+9JdK|6V9?-%cnoUp5*IU3d z)|N{o66T-%?(v3D6~hK01#fdfLg-dqL=}^beT9+o2v!7vj*XOwKx$)Trh4wN?S}Ad z?HRr|e3-^F-Ph+k5;$~08u^2*(Zhk_uBA|mHFe3Bsd{k32aj)WvA0(2_e+lQ4J#_y z^J@d>n8jDMxDJ`GIqCBd44HBjHJ!!k9I5M8p7e!L z3Gz-7>Yw$?7XNW06stw*RRF}Td)yaDX5LqN;C<6)G3g1gQkWCafy^BeMBTB8iYegc zuofR89NuC(UpJz$c3;3?}$_6iAc*If|SfhN(F#K$g zR-`fgm+Im@_%j4xy>E#oJtb{Z%D0aB>)2~;@y5jA!KJIwxE6G>=IZ_(TD>{Chg$0d zjx|+MR8n_|d>)nov!epc&yUrHa?{2I7(yVFirsWgf~3b`@+vvWTra*6>qn{;sC(S3 z?~~}&G-nab_B37fq>5FjV)OVK#M?fo%jmsw8u-{Nn;hC_Prd>sKGH<@nNCsIEYi#L zn9fjcEoXUYo6GXL+}C5Bw$ko4;!R3XShM%eGK7kN61z0luhNm375FWH)V}==Q3%1r)+Jmj;aY+ z6L|@ue-=h?P1SWV8hE)KH+hM!vzDBDmoEK%we}laf8ysc{9rA;7*(IpoG~a9 zr4@W>y#s8*y%jZX&%!d|xahFtxX5_Jo1KCK&n)t(2?fh#3^7yazj4;sf8(s*qxabS zz(_&okf!~phjp%`JRl{cBVN$cC84Tr3~M}^<$QpSusXM$(=Zw#6?FmSvInf`JPJ?n z!3&1S-oSn5dd%Rx_2nj*0@4TsJCpqsZ5Bnc<9>PeeH7V|;4)9aa`CkF^N{ov#-Hx-d}#5Wq#uKd6TVW4$Mvv!*CVsVcGdQf4}DwH zzB^%mKqFw`@!1yTG#sU}S<_o1I?OKVie^r%?ZA-fF`jruEIDs^~J%@xg8RnWLecREn5dh6o9RIFTTdV%}Zt1ha2sF@mw zYE~n`+U{nHhBd3WvZPGp*BNwke($bB3HnM-oG&C8&WTpvCbRz-b~N#7a5tVuBMT*_ z5-=Auh)yDNAHJ7!+}>Ni4jH~Yvs{7@A}k3cZX8%31JA@aSc2jD<<%v}lEOJTxrWn4 zYPS8H8lfq$f+W?#e_Pq)>Tbb&@7$$y&_WBe6%Arx{%pEc^G_QR2Do2i9~3i# zjVtRV!7TW(>xxtqws(3fK0%&Gh;jTMt5*KPF_sjaB z?D@WTQ5{8@@d6&JLhyX3l2})o-1K;-ipw2I%`}#-9e3N%qO=+r1;SR5U@SPUq#<$Y zvT)(ft*cHs*m=UbR-r~XG4|}omHiAQ5&|e(%ky%B>X{X`(TkzvOIOu+BT|>P6W8Z! zq98s=binL4jc%uqI zzt6Ns8lJJpi)6(4l%UMX%8020J5nP=2O|&325%pjTdFtU`Z^^QW7Lv9e<50+%;A4{ zmPE}U{~QG#>-L_qk6?Hjim^dRmUwSJn@ZjWD||R2OsshQM>~r3U;;TNd-}Djfofd8Ky6`trKa zKP}{8oimTouSi|%s#>jMyEE6MSDV&m3&z&u)u_;vyadVW9k&~(+y~Y<#vXN=4@Um4 z)Y`>fI3d*%e;}!txXdx%A^A!y{u5+!s zvK(Qoa}KGP zO%smP-29igJaCpCeg4hZTokpEtar6~OXe-xWZvQui7)}bZk?4$g<^&Wf+P{pb8&On;4e7c zr6G;O-DZhGi+EMO)<SczxFD7sA z8HwcQMU3=L@hSBstscaWx_q40SekQyhw_@CZtx4!^IgfE`74_tT{1^lDPT@mUC&$DZz%h90if~@*Q@*#!Q&FD(=*L8cJhr~0 zt+Z=~h)PRgI=A?>KJi`*Qsizbb2h@Gzx|3}%kkA9t#)m>$%)!x!jgvH1KhJH?JUeU zb)P)ca&84RSeHFlMj!IQ{D|LSF1*^>@CjV;O?z>E#yp ziYt#8W$9-#iz?EPQLpc!D#SwwcFT77Z?gy?FVbL@S`lp$NAJ$})xpigT>K_6M9dg1 zJmP&zecgArz$kX5+&!2{MP$B4-2j7CEF|4fZ0XA&>3MO4w5RmRc1;XtijaPbc=17O`z_ zae0^2HZt&A=xSI`IyF7gi#g_7yJ>SX2R!d@(lj`3py%C}`y3ku6C>dCo3GI_MEzAtE{cGjYcJ`SMs*h~@L7B7X3H zC6CYMd%?=-N6j_e1@tWx>Vmqzhf=Ch93O_d z3ms?~G0bDgVtjWlwN55(+4K8()qZI&?UvX=WAq#_VcZECGXocIZ-eK<0yYFwr31#| z{SK)$gxFlWePO?6+fJtBu<5FYehWTe!pT+W1RXVF=Pm5!;63nvg>jtkq``ZpFMX%+ z=Jb9-z0%Mke<|dU`npgVm^!@g>P^O!%seqbjs@}#CQBp`r5ObQs98!`1D?+g0fgC} zSutRuqZS2@kd&B#T(O5+qG6xuw}-p3=HmcYI>8KAitb3JKPrI=@q;@hgpGZ;4;EeS zq(W<1-l5R0Ud+%yc?;;Yx4&zV=TkU_*sZ*XNyr_-KWj9tF+`kIy*grtp7a*mk}79& zc9LMYYaXdz9;#cnbM`em z>%!|TxZ)Bfia6ks=6XoTOvTjt?XeeI%COV_iZN(k;T%?IPtVJHwg+-&G*F5nZFHsk ziSujcaVEy;vRlcg%ad8D5l?v68c8hqyw*@SLF*1GT7?^D^*J<~*MWkXi(ZgfyYGk` znDq2{{Z*$j+5D)o_W+Mw-2SJ*{!n>qI=sG{x0L|i;;bJ8z`-+)m%l*mDiC=e3=!Ng zFI`EZ7R(C3$0#v9naT3HOp&P%)mso$j8cJ~A*kYpQX$Y_NnM^blVDQ*R_rP<^TOd; z0(s>*K(uGs>l4eN5Sw>POJ|>HR)4QOI+`2u#xm2##T8)V=LO9L+d=O(Oydu_s*#l1 z(`-j2(CKtYd0$JW1>lm72GC%}eA(sn{rn}>pno-8N#IBWAFSh6p;h)0L=}8QEHHxUYzhD|Ht^J-bcyWZm=qiW-f0ia4EKH5F_WT|Et6et@N{ zT$B;Mg{vRN4>?{HiNPrv2O;#6kO^?gUvKy&1TU%X3c|W-8B@{SpKE>5SN@wN~Y|Bo6&aK16X{qE`Jru|yNT4jzv-I0ayw z*hV>@E0y}kv4Lx~>&CtNNIsw#Fh?S?Vh>jHy6G&oF&ONIyJ7xBV6eGXzhKLITw&*9 z5{(;ACX1DP>`yMiSyhM_9$knZS*TYL!3tR2m{Fq!KBdE~H|qnkEIH}RfVsf>Y7sBY zZnqzN%@bB)43FeB&w3= z?H=9#ZL8e#_2;HLpie8n1b@ibVrW>jW8WXOV-K%rqZCy6I>idJ@6D^X7f|89oK&~g z?`sk<`)R9uqW+R+Rjt&Y|6TZS2-dJ^UFw+-n|hEdCl}LdlhmVNP$@zrYqkZnwww>f zM+cfymfmRW{cpfxvPJNa-+dQU+j0*^zXTO^RN!~)zb(i7!GU+Iq?Td3R)yNoBD&=q zUJYb#vx1_nNdl+?#}gE_Ut1Z+#-?*&x+hv#&sdKf{iB~sg=5a2;A9*`LUZuL) z$cL!;7W7GY4@Vg^YWiuiABhs74pY*wJRc9lw7`Jx8)BrT8NPB%HB~+MePR-a&;t0) z9AnzqS@AZdi$*P+K%p6MSIv^s1X`=Usd;e5+O_p|MZ_QpM0kgOXN@cG(>$RXUN0wk zw}itBYD%pM$SvJ_@^-B^aJUwEqUws+b6cwg9d=TU=bIDBc!sa6ULiyz!c>Adj1=tf z%{#MGTF&8%SK9Ylfr{~QbYs+-VURrcSRGg|y9L~Ek#bm@P>2LowlTg6thFlHl4E^* zzDE!PfqZ814`HXw`0;9#{d!DpT-QsjUVbbWIY(mppuk~R+;&g?$^$u-r+-+uJ+16N zbc2ty;^Y!?gz4noY-hq!=E|U8u!iv?o5?OH$4oTo|0OrVN$c0}&GxlstkP?69y|BC z&*6)5K&k50L>FQ2VZ9ZyRuw2l-8D24v8Tg!@a1k1y+nM|LCTn{CRH+9*~+^806H*q>K7m?1<}o9qb6ARG{5FdbJoX*Q^W*2ipdXw-WX zYClMbf`_q5GY!Slji+Sn`+4lqA+P?MN;(^gMUb}J5aOdC&;LIYC#TN>DbG08aTM(Q z7p)8)tcA~?MZAB{aYyrEp27}=2WvTFvR_>US=e5b<-->3F!sqKO#%wn1>TBj{=I+6 z0OB$IRBYcHO}&OBQFIO89J;yKmU!*dgjB-2rfAQ+Dn*HVTsKTkH)YaayOOH zGs9hWhi8Hme;$^M=*;-SY~{wKlB2rlVw<%4uZdH!%gCI%*iAyaHQ2%z@xbx_4{>me z9RWTLS77#XZY+A$5}@YH(D$w$F%5-^=GPbWG@?PXm?@m8Yz}HAOCn3hAv^a%KkX~| z)CL(GOqgLVg&+r0v0HnCZpt)B2mCwf`9lqJ(0Q#k#rItJyZN9Hv?_a3K)xJ_46{Hb zZQK*wJHX&rjNjo}EPx_nVNl=&m;5zSW=%_lF?HfYbC+fFj~e~aYf|D2z$B?DO6bvV_mGDy)K$RJUdn2Oj;b*Nh;E^C zp!5m|R2%j)np&8-n2POk0=Cm(P*1MiVCE*vpV}DQY z3o~3>dadF?9juAa*02i{c&Xi~cBK;gC3gStF$$bXaA19nfPrAC?Ht;gdx_{)$)#AF z>Bb*w>zMb;B`*H8MU3gy|JI9useya_2e5=zdLEoR_xu7Z3T``B(TImF1{k}k53St4 z2x3~V-hU8_!G917l+I`Z34oegZ_zM9EpC|W1@R=p7*BL*h!810kQ)&B*h-)mM_EzX zP4SB#KAJAlXz;ns6**91v`SuJp#da^bwi4PanR#oPqT8?{8COsBXJL`sgI!-LEH%S zu-F7pA|B5rv=S!9AD_vjlBfv4Kt&B62W*a97^xNLS=1z65mu0A59y=joq7}WcUDnq z(%07Hkq7XbV20p(&nP`vXTi2O-QVOe_}Ii>c^_=%5jO3dFm~_OP?%g3jK9K_&a2c9 z>W^c`Ozb1j0i;JDoO2V8{OB8X9BrrRnf@K&v)|Zdc^Eut)(EMH7+rHsT z02Eg22C74@n*{s^6WW9(grx;etue!;vbd+a!u&10?hX78A|~)hy zxr197?tl$1$q@GYhY^l2F|Gno%?(ym_!rvPqaOeoeK>Z1OfgIzusVkwDFem4B`K<` ztlV|HKp896d0TUenbjjb>Xh6MR%gGYQVs7e&=?kIj${$5QO9s1?@Wm3=?87u!Y?!u z{-szD&iH;Q787vm{}09DrTjk>i*OwMVhxDQ|4=LfoY8xa`t13#x6C+TAEZkx{8OWw z;Xo_cU2XXLi~w*0dbz&Pb$Sd5YV6VJ+f>fhPXaa}$<3n`GOY~jN6Le*UU<+3^4t^J zE(1~dc1h((vQBS86*Whs=7B^%Ou$%YMyj*_hq3%i8CyJEHZ`zSdrGjSD-Ck5uu=d< zlc3qe^Kon^Zdb1&w4aA#ht~!ZxyTCO84Ox?s*Qj`ld)<=nC4<#BW!UEKdvUqHI4O; z0IJU3xT>ee*ZNI5t}=;D24WqDcrGOt`d+6FS&WyyD+s4v;x*X~7gY?ZbUBq+15 zL1j)!{ULVR)t>$$Q1uO@ICK5uy#A#X(+mEqg-h|Z34&A`a?jtEMi>Yf*0wtF(@H$s z4HHUPUZu?>Vm$$p*SQmY_BIQ9`F?`E+YH%we}0J2Hw$SSKtKuRx^wM`lX)3*9v)Fw zWu&<2;KqQJF{5x8E=kN)auxX7;G&*haJI9+&M1+pp+3g9OJt%StX3~c7}NOCelH46 zhSA@nUIN{(R?rG=!6&bU|9|{XMyg_BiAI$8916D=v2kRLYJ6QlvG6r}`CwhDawDHM zc&pF9ry|${nDh&yDJM|SuwxtKv0~`%1d7!8J1+ro!dO=V7;@m13M2*fkm;=A4 zr_Zw&>G~x{@{nS>Zg-3k+5q}x^)3;B5swuUJX9U;U|scJ@~2H7OGH0u%Ob6i2KaeY z9&;t<9+s+Xn94C_KjCF3DPDslp9LCpXICYyp{_d2MNX4;#{BmPy;N0s*kQ)s%4fO% z5Fm2dq2WZwe~|llXa9Z2^ajEZ-xcYF{-|r`8K^q4j_$RT-C&9(Gsepn1D?7Zt8K)`3e(_@$qbCR}q z+xnkQ)6!b#pf`UNd1NtD;&V-K*?qECU92xYmovY_Ir|HO1!z?^?#vBpC!il*Goj|3(q|&jT5mPuAKl)K7K7HMDe#MK=~}d+579WR<0a9B1}Xk3 zpg1hD)JZUBzwl8|r<>r^NYn`xIpNYeh@^EWvxyWd z0vy74sNH_F@0JYl8vej$zwVdO+}Q75&BB<=BcKil!}^~v&`l4_MdC(|ueTE-57=OO zYCjt7u?x>58v$RM;DbZF?2lG|U$XtIrlr3OlH6m-Tx^z;M@s-tj)XaL9|!Q#>ZmoQ zJ#6H`sU?M#Dj0^X{%iq9@Rf*M9DyOg(KBBNOnT-^Xy2nBH!3izF|2ghBq;YIURs#_ z@QGiaZ>8V4zV=rHns0DX$(g4ZbgXiZjGdu@@FiW7r#Uo&l^i*Oo_C)d-#2^kKR?gg zUG3IXo(NaHPZaczwi7c+;*u?w#*d^-h2oM0G3d!ftBc9!W_k$-;b;)Qo9h}DwraOm z-1KaD$GJ{6LD4_DiNz-&ZB$&T_pc|{Qd7a-efRWc;q|!r-Y56wD+dEls``km4zzoj1+cW8n8xc{8-wZ*i2j|BH$bqGsEs)~$ zhlxM2H@N|1ejI=>kk{&ot{VM_?&Z``Mh-0k7VbO!oKdty)1WYy3=+phZs8?0y%e)p zmoK3knKo%-E1pNIV(T3${7!p+c(l=_Pgn_$6yBBCF!VXk<`*8wyjYQ#I4T4C_vUx? zoobRH$48q;c9Y zGlG!9MQXzIN1N5tnz<2-)#9CZzsneG?h{IR!~y``F+vypP{g}jQCkxc6b9BDqZ-6? zf5r55(B8jpL5J~tTg<;aHLn{q|I`roVpI-W%2UPLNDI7(;e|W|xBrH_y0hD>)$m1i zo9BugVA3-g!LV`!U0p940(pD|z8!`W5=f0NAt7bfv>X}iS)l?&}P7t9EYhV*jw z_DG26IN1!mD5%h^{Yo&~8tW7efewbvljw>~NX)~+%35%yyNQ>9>(ID(NdV*)mO<~$ zNbYAN0W79-Tajv`KJ*BnllKcTZl~38 zG%-Y8ZyqjOJJ>HUDN(NF6PSkm{DALvly-ZKK+KLb9Z~R3I0;{rQ3}X#;Q{^1bd~h~ zsz}^ML3}JfAa^<6%+_Qh4swJNB6qFkFcN)ejx?_)(>GdkD}!dh--0QoK3rM2uSM~`Ag+i3I-$Ls zg%4_7(*<_ocfr3GjfOF4*YfT-B!(nR6RHWN8L$t;NjVjRpe6a3K~Pt*Rf&?RvqF}` z4!P0|bk`67RW}}zYuf)6Wo*3Ftx{F=FyUyCHWE%>8>6lncrH-Py1lMo3M{4&&8sLp zANazaRo@+c2nmaE_(E)kA-#8qgV7yI{Snbw>Dn%b1+A9oVL*ijZ&|^=>#BaINHwKy zOw26Cm@Gv{ez2XOH?3kCn4!huskM3m{{8!=@DeAp6quWlLup;Ia%es@Xv^oSWKz4- zG($kOsc6vywoPCG92)H?h&v*_(9T>FT-q7cVQ3ndR5Y7D5fS>>u;D)*Os0i(GUu@L zxbLnA1yG^vBvTy+p9xl=o8w3!)}zdVbsj^9aLx8du4qs?r9fpD59E$1_7g(%U+>oB z*?nu*shxszzHapIzOVC!9)V~H4WnyBD-VSMj=A5fIq0q<|8vMW=oFY2 z`&!yUD^7dltu8L>u@L1nPBN2{>3OLt7!YdUDz|#+65&Ni_atDDf`CJe_Ewbq&^Om1 z+K?s$6bcD5K_dpz2iC?N(E(`bY@;wy3Uj;g`6)fwDK z`>6Y;{%azm!8b+CDCHi~2}?-NR;1dl!F4^@~#%Qmr$c61Doy=`~+_z8^y*K&))RfEPvq^mo zwI~^#nZ1UK_U!9;38rqdS}#;51z+F`G-sD@OUsL$+TyGHW&GV&(99GaLUY}aj-{-| zqDo1aoRPBoRvK{pl88yjjr^)M)D)~HMC&Wa_a5FiKvpzQ9@^$)Mt|jr*q-$7E$xJG zX4c-WpasnyHjg~ehlV-Ua?gz^y70q&@6OMAgP_u(*EF&=_k+yb#b*KX5pj z8OtJ2D|4ILQ0#D@$Q8Fnk!*Q`1T3}A7cvx_9|Cl;h}ux1{;vRs-XF}J#twjNkG0K` z15WsT$SCvUgz%AVdRX%#dI_@!14YhEc#g=K<3giLJRYN;BWvC%vpG7#z!qaf)qD=W zQOk7Kam-SDq7@%uxHOl_dG;2>$iU9Od+){J62ZPH`#P;Bh0P`#C|oJ3Z+`gIQuG9@ zFW?fOz}0R3|0ZEMXD?>ZiylDV9$o{Q4&AMpH77EgNsO0Py^%F6g*J<{x^%Egy$&WNvT-OD*_G*Zh6+pEWF5|`?*+q^DTLZ` zsI9^0B786njO9aF;O?c8xrs{q5ba@tJ4%}MjW@_*jN?W>;TkfEiA0Q1(8z2-fxax_ z?d8||*(rx`iYYf?RUuO$$!0T@^1KPz?<6$UBU{D0L;a}~!q0tjE%s6osZ9+9|B*CG zSK#ZYug_cl>0X|<^u_hChK+v*%X3#Nc!8>KgiC&rvV^$or(h9==CrZ`Q>p<2 zT}zD&j%8vFIDjfNb=DOOepR7JcP&VM9l#2w`AdWw3fD%W{IB3RUr0j6WR!edw8b`0 zFsc28*!_y4WQco)7tpa zGWB59BTbv@2C8UMbu(x*v}_j(;E)j%eereT&`g_uG;n-)%h6$H}DykT{62dE4SRYVe+(HkXd!wl;@EHj>~d-I!^K?j-;~ zc*qppxzD#W_5(pp$><{d+gC}G*0H<4e zgdlMQyyx>1Sy^hUAi)cKosiWcEhHx7X5!y;@8$-)X~j>PVmb%i!52-f+A_^Wnd>pS zL4V0%!x2yt3Ydcv_!cZv(ud^QE1uhq*%>~NMRy`3H37pj!}LzRM1w~m$8-?+8_1gc z73LIKEAJ)jG$G|Ll2MXTw2)@0P*sVAupuu*0;n#K?NJQgPf9GS zzM7kijS&s2U+GGwpp;ea#R%vpMcZ`?=5@p5I>XkV#jXD?I*KlXPS_6{P#(_Qt$6HcQA#<-Q zl`Gtr7~284wl=i2i1WmI?2n+iwMcl#;B>mw_;VA0XuPI~BR$G$VL`yFTeDXr}8|4zy*$R184sog=fx7iJIa1wlYGL1-q~s;#yIsIvc# z=keB9*41pgkd?=e%l>j;ya`vw@&&nt=gSzDj+(6y*{jHHm1_!QVN+WslH$wKizlth z)!v$JEc`m=QC_^UOmw?qm@hLQ|FPBO;iGqsX7Z`#X|Y7?f4~s z`NdTwOfm8_RZ82|6*F|>(7|~Zs6gd0xd280wxX_pitVMLv^wnrmco#M=s+&7&FjNg zB@UIN;9P6aL65nWF1<;1+-~uv6<`(f|w?>CmhzV~MOZ z(8*N)H=#?HQ0lh@fH;jXX4emyfRnBhgr``{?$4|(9s4XN$6P5Qd#Qq5^Pp}KW~w&z z5KnKv%h4X+^Z*tX((NONugT_)42Q_optgraye(t$6b#dF8=?4cMQkV_9ky)-537mN z;k6!|lmpDFn+Jz3icm?Fd)LgUHiv^}oKoMz@9%E?q2v}DXrIJ=rMw`cbf&z}tn~Yh zOI2bA)6~AsA!6lylla2w3g0>I0Z~xwv^X&4kJF}A#qWi}$*PLb7+|R?tS(%GXD3d> zoh}GA09HvcS}|UDS#as;7L}uW$zZlzLF-9%))SazMmX|VLXUENX)^O;=DhCOXsL!d zOTSybT`o&xxKt9i`nhaRpwDzu8RB(`A{S7f`fJ;3M2#6p4bm=IgjyXhsKxElZfX*O z1v8>Jqr)GXTTR`6$j42deN5_b_{<(LSwE#gupx00TKkL;W*;j2CNw<)R(7VE`;~jG z08U|_8YRA6K)y(Nq@~d0jjDikRb^c?4z#{UK7c>jv^JGjq6<=79ASW@m0ZAor&N22 zngGYUzdP8n1xIbTy}D=TtKwipj_io7?pRlC=M0L+SMMy^A(zs|VSM%xgC4}LDJcz8 z2)4dF^UIn;5mIO2EFZ!e6OZfX^JSawXHCqD-fi}?IMQnuCA!8z}pk@<@c6k z6;hu^AlLdaagpGyQahs-JZ1okH#?R}(jU9xm|R%e?M~1voe#boKc1Kaoq5BPf`+zc zW2wn=-}!&vcYcR7Z6|04V&k!oullX z^o&6oVWS2R$HiO%)O{y>1s_J?ppeD3d_F0lv`Q6I`7l}*(=39z|N7V&bT+WGAzJ8D z^2P@R!#FZ&di;dUjTR=GIoG#yV`g7XjMI6*pfGLZ4ZFj6&iN^dGnIGX_=ltap%*a;ax<@I~m`C5oafl8HB1&VOa zit%BLhyX|uK|;o03v|acYQuke0f%=V;ePo*Lnd&+c1UqHon-GDjW!%ILIlkWa~SkV ziI`c?!XXzoE#=%CMHaWIrcpfcmpylx#+*Nm5rAYPV_swp0OLQx&lA2mo{ z=CS0$`;0Uw?v|ufBA)VF!*!G5t-Ge!eSh5d~qNkn^I7SX~I3B>x-!zlNu>F6BUP;M!Nm{&I6K%_*zzn=Re`e9KlfuA>@5{Jt0AUys zyM&EDDPlG;wcPV1^+@BRM^?DV`h{?D$Hl-qW4^h|A+!e;G4tvvQk^WT#i26!{5jK^ z;IwG3=Fnb%l^YHmFRX`Ugh@hJ_ksS@7?AX+K;KzwhT7_5ZtJ6N+vPbg?_z5Ptl$`p z>&r+cVI4`7f3cwx5>SJs096YNX-%)nN1ER_W*Tt{lDjT_UJ11U{-nj;rJ2$33g(TccE}ly^o@;Wjx6aUbYf%7tuib)SrzCMS z=Dzv0JRGWuM9+!eQ`lB`wOW);n2bdSLX7i**Gar(WcDrd?bDY*59DCp)-u$KZi1v( z!m`6?-9#+eH0iG_iyW;4YzSq#|4T2N(SW*^#O}k6Q6g2q8a6${p9e0u*f7DjLNx+9 z!AUAq@~YB^m*K(3s?3p;DVs8l_U?A!XcQ{%=U7LBpb9Lx>NCu{V!joaCFw%uywdtI zmR6j|#AIO3pl5zHyi@NS8^|-a?&e&T$K136ualtyaQrFYG;vC-m8mY3;p--0k?(YP z>}ab^vtiO^6`H`-okfGABig}O5Yp*dFgpHl8T?m%!cIv322hw@AD?YgvpDT+5~x`C zli3E%=f&@SCA!`#`nB^AXbb=F-g|PJEBn(LsOabLH}c-5fB3Hm>Mo(IijUd3k8zUM zGQeLtc)LSXYV&f+iV|Mz_MQ^iD%|9iOB2+vuEYRb#_kW$YTa_AMrpQm7aINCBsVDE ziZmfLhJx3-q|e(j6A*R4moGE;yOlvp+iQ|`(qX8sa%smtGKkAXw`a|b(vs|iX}#3T zRVv;9ZXyOj*;lRASrK*$h1e7;)9DbORMyFIj>cB~?#$cln5l{5SvI1``wTP9v`X4% zT9|`rf9dw16@oXeCAsfO(avNUq5GD%el+Z|7qQYdX+a14>0^{Ugy?ka%qz3Jb(52f z9rydKrv&gkAEdO5o|vi7=x1ZJk#Q}ycKE{1sifwe#fgD2TB7;0(l}c?P9wzFe2p%; z^rc}HsY)H)X(aeubg`)_C7qHGqEb$tleHmiGFjUwXig1k5X#eWk`g`+o_RvY)L#E` zKs9=l4EYqu}d~@Z0dib`wjp)fEFI4*mh<=jzQ`>MZFG-<|6eLdVY&w34AH` z)bs(rzcR;qs?T}zrCp%DwLF>TXQE4kA=v`+PZ^hm{|A~tWxou5Ixa4vWC7WBeW%~& zY(}5g=@VRr&Hi3vWGYWNH%x9vibE;f`n~>Q>sr+fs~g|sJIVfj^~1?&<-(OIJf2e@ zwc5eh^WEtCTjpnC&z7{w-RZj4v=aC!I}f!OR4moppUr1qv6luD$X?OLnON*e&G}Xx zddV~|m+`D&ZVRYldPWVGJT-Va^)Vt@VMxs)YK%4XyI$MaWOTBRo4AuVF2KBT8Nr~f zT2}7Qsdk?eCHj1tyEEJp0jf%OLww8aLurf3(IOU1UFSbA- zC`=A!gk8c1oLpJ0s&|`hy}^|({D?jC^NRcE#{d1Xwr}FYz^5n!19Ga%N=V?BoP4*R z(h`^OHG>Kp`=dUEF8tWJIn5^m;RK23rj87uBRUUO+3ww7)gH}J7*k2#vh_-Ya%~Kq zeWek5ANtF=`v!^6+yqwImps;%GpOvzYG!5gI#rZqzIo~3T6K-gt>!)ogHD2&3l-BE z>ZgX)r%lZ$?CN9C*2;H3!>3kndTcRr=I#aI#J!fO0RN@DedOn^^8=Fl=Tw7v^$d|^o0>=Ts;}RlIlwPvF#}>LO+~7TrV)f4O~2wv3vZ@ zRZg&~i8kGeDjQE;yXlL_3yF_Isv^r27CvPVKuyEOF@bGfxZ`ttEZIuA=ai{f5cA}Q z>IC_Jv{EDghnq3+;%G^lz|nFtb=On`)XV=54xhhxk(2+wI6OS+m3n2h$mv~EC(YYp~k?gb|*)Dn%a|B?mlM$I!Y-edyo z^REHRO(FAJ^CU{T$V_9~nuQL-?6%av|7gU<8)|-eY0&?^e07lX|2+Km+ZUbwcPAwW zR_M${K!Sb_;L|q@HUKo~?>zKg>IJ&C)R!ZVD@^pO3v+~5DVJKNUpZvh46USMz7(vk zBdyL^$yBt?n95{8X$#mXTKb$!0$yWp565qe~ms-Isbd z<*KX0#t|E%LW68*wYveo>o76*`Ig;j2RE(gWa=fe<*4+NOg)wULa|vU4*-6=aegzU z3v_$0s~TjGDxYyxema9RwDtDqz@3`sY_XH|ZUDCUYzeKZKXX@h0>p*s4K_Rz9$%$q$6R;>Whlvx}9R zR_=Oazw+2+5=vyq@h_|(F_1(xNdX_H8C8w`SDek}D&QvjpO=TPa`rz5N3Xj0zdI>8 zNFq(n<=I!*{wO#hfZ~QQBDGL|bdJFJ4JpJX-rOCS$FL9(_u_J|VCy5t_7*<^$LT-l zj&a%F%A74ro7I^X<=T1DJUjinZWxcOvc(3Z%YR-nuI3KWr$0))A7uYo_lGjK2YAQ; zgt;3<*6AVd2$8j7THj>p=#fEl`_c^mg*IseG|&M5559f*Z4Uke0(jZM|6P>ww=W&E zD=dNX;9t_jmRO*MHvZChpwv}6vo+*~lJ&`}hx{c#x32#d5ltO{YJUIoFz_&>?zZ0l z;qz}_<>S9RKlt`l_x^WLG|A#KXK>0EYy>zQ}>_;fh$0bqzBWW$RfO$i1j*t5s{Flw=dWt}B-=KFR=P z!@`F$uirAC#GLbE(*&a8(9uSNBH+lqR+Sq_NnN*y?!;g_Mtk{TJ2bc^8kBcsr|3|g z-XleeYI=Vh^w{)DzX~*I^yoWu*`dptLF+LmCMG#mO26G8P|C}vg@W2KBCQy{L#S&a z)Z7)SjhoaqTFss1V@0p|Y5sB0tm#|+I?$~RXz0*xhjz`-ZnXxWM*hFznZ#i94U<4O z=>J|G9UkT7|1Y0+@n3dQti%}T>=5HWBX{aij*BwevG?lUh~yWidhXd0%1!fF=!;9| z=8#*7sTO9rT!aDK{$nSf0y&#gI-CQF%|in_O#Yt)aCZ*H$8ezn&0#O6SLY`; z=e>QW_v_`E_}AI_>vQ!sF`q?y{v}$VLz*5=CL=efmo&1aA%o_K1 z^8q3^aPNO`Z&iXE?T5x;_};C5^Zw*$-MARw|Bds2HrRh3K7XF~|9k%GMd$yqlVT_T z-Aew?M~I&*f!yx%g36KC$Pbz}-AwzXOxpvJI(7|7mLy7N8dM_q$!`i?hQR>a_cg1+Ku`Kiw>SNu9-!tDZ)11frGuLMiO6>mpAX8`IMjoNX zR46Y?C1P^FK>EpaOLmopvMRA;ipvpf#<|lVTI79n##g-QPl1ukky%ij#Ww&ip8IkFRXnSF{4{PV8lzlzU{FHKbk0(#1oY5o9SD8-j ztIb=faM`-~D-Aj@GE(iz){24rcjG*eP4VB3j`Hz8j$Xbz?Bu_@DE9i_N0lN{-O-(; zifmQATajI|ZmTV_Oxkr*=jT=1lU>$H+pcn2!QIHK|2(M30R9UryDi3lE9Cz@{PyTY z2mg0bn&JPmAWTa6&YTg@H+kr<`RtO(-ycm$*oF}gZ`h(P(H3$Uz5fm405{qH9Uc|p zKOP=-_J2Dmk06ZA*ZZVPHm)Xsat#>RVwB-hOM@oaNy>&>a?uRk#IpQM=M|MlZQH_3kvUOms@{})HEI{d$rVlV&M zWr%1Kqo2n^JJeA5+YKFEWyf-ZTiK)?i(e{O8p{j{iG+_59l| z|I1Fw6X%j8cm-kr1P(uU=YHk}&S>fRn3Tx@ka@?Z0A}`{I5#sdcH-rN=x8T~9q}F1 zT5?$|)ZV9{HHo)!$&N((9Z(E(5Mbt1wBUQTh}>K6GmyUo%Kp<<1vnd84h=x6W0{6Em*J&U|>89Nte=P)kN z-smE|H}EDd8}jP#)81eekHd*O+`}=h&YY|Ble0JHgZX4HC9cNNBp#+8zS#K}-oKht zdt=nU|D)$G4s!8-4qqO1@}J$5C(gOJ0YXe0@9q7!#ee^A-hArB(fIownwZ7M!(qhk z2Rupc637fRfJ28Mj8s>+LWLjZ%nODrj_G3@_Wf`Q|A&0)U=d7v00Ab+?EBu~!NKPq zP$_=$eSre&{rCSiT>SUFz2AnzzaKkKoM-BuIwG4eK$6jeGY#Pp`UB_eo%8nHjdOl> zaWnX4Z|^_-c0(c$wjeJGgg}3PCYJ_l9mF%w^(Q3m8L`RK9b)~yR=w{9w_!AAJdoZ0 zh?583{r(mnb3gvyOBT7`IREK4Mg1NO{_EiIRl^9PcAr;n?0;`hofO{_hkMPUGl~OE zonMwC`0N670l)*G`t|>HcD48E)29)OXM2d%(ZM8i*kn?WayfFMWO`kim6`Y81@K$| z<`+6>yaYHCn%4#I0x?T6a~(46-n$7^*Z3n%gChp~6B9GC*d%lFK%4Yy z;8kqXGSD}wxEW6BqLka0v}NhKZ*WzB5s?*)+@e|rrV&&_FJN9l-1_@*nEH-kO zqlHXJ&pgtOhAsp3I2n|UR_gb;cpxMlX~Wr^_|**o2^_~=l;tNH;RD#f@*PsAylzhuUFMfb41ck@)o0#V3Vt5z%Oy86_BL#D>erD zRkSX4&Yed9WUl~b7*43*aFS_uar-t*E+aRFlWgb$L3@mGBy(L%XJZPh&izU5W9_^IwnHbV!Hs$;DMsy&TNVU>2O8Q;nDdkL* zO#n&GnbQ=SU51m2-tq=S*)DtHta`_EMEgD6=BamlNJC=hsdb~n%^RIQ5ma;Jg(q$T zO>i?^MJ3%Sbcj!D5{_d`TRe6b@U9R#_#p%C4kj26)4tH|1!TA{aGCncF0uXuL}Fe+u*yUs5axYtvWocI-|(_-%EGtD(|n%x?avJ-(tFr zW_O{~Av~SlLG}a@CNb_38{RrIYU7PzJ7{g!2;%R)Qzv-mx(nx-{cB0dBzQE6ei=R) z1LYX>my13(CjF*tJvrai0g$cX{bl5>Jl~zV=kb{NTuK>OQMmZ+;P2VP zIeGoM@^tdON!OgKFid_#q0F646jR_$Rd`+WV=|O-`7UnYiToCq^$vsHxdH4N zaZ0J1Ha--rz9>gsMh94q-w+n%Wdrax zym#c|85{t`TvVfr{UC~>hmV(K6xwTijW1Ykvil(A3`2;rkcGX6LfC$I(JY#>Q; zjP#1@J^4hUN!$P}(t6Oxii_P!DETbVr0R6rgq>7w&x-9}!TeH+ONvq*q7Xy}c~R@2 zVj%vNwql)8^sOumak-3V_6xvPxk+P%cN7qn=zjyy738mi2&fv?3PxI$giL~%M^i27 zAf53isP>N2?4PicNwyPQMF209vsvn07bpv{n-vcL`NPOX*g%~*DV3CANf}YCl2PRR zpMVnsIh%TE4plf!QBx_5s+aK?3U!*LIHqEoyc=o7(#rf`>#H_``bHPb(pIK&rDmB@ zlMo5fru>SSlTAt5aL*LV#3}$d81k;(?X64jp1PF{;Z{jDcpp}ChZSR-81hJnWS1jv z;9PQv14i9f8V5S7#WZ3Q0jrZ)6fUPT zjcDM5!?{fWf%*JhR6(l!q6&jR6+mfJO^IF{dTAsqfqUx``3uttko|;Raf5gn;T_@P z6B2cyPG45STU!{0BZ4B4VJ;SIT@Lt#1%Itc`b@yBvW#o2XaH$9l=6M0V!cK=p1I%- zYXU98xv;YBd*GOsxJ$I?m&hbXr)(_o1HuCyb!A@Toh@?Aqelu5y>R-B+ z^-j^?E7u_jUXh>2J*b*UgMhSAvia4EGAaMVMCE-bd81W)G*WmWn#@I#d!L{risVjF zxbl#z(6Sq&36k#^29KoWrjI{aHY1H7f) z9CzAFVAcRa32kPcB&RCKR+P1XP! zN0&+pV^O#Xc(Mc}BfKJTQ}1Wqn8Z8}T75FP;^HsmpN3rUz3ck}=ak#gTwJb>u)iUI zTKM;?LD_U4${2~Bm^97ATkvT=h)5MU=vX8W0(81W3N>NlJE9VPJ1zN=nt0WL1~IX? zFE~Az%rNa^_(XpHMqkEO1mQcEeD6Tiy;a%v;}>Q(C);h7IG6NO!|xQ&3f~Q13(KV| zRv4T}?=fP=;}p#rJC0l z2V6v;^s*_3RWtQsLfJg*vVt= z7NuLFU{U(hkPOh1;aJa^W7rCS-* zY~s~=ySJTf%kEd{c4gBVXSVG5OMcJfM_?`F{Tj32DG_H8{@|`SsfSc|K;jZ7y}5h; zavG(amg3Elz<;I0cy;*SGD`*lM#h3Jr)A(v#fHRI2}?YLhm>NhFa}1x%=A1==8GYP zj_j3Asv$961rmg>Kvcq&B4i)JI9(z&VK>KZI!mX@jp~##U~j zZ|C&Hk@Iu}Ko$nY#67ai>;S7Q7uZ=O$9o!M4`L1|gd@^^^pITuyug&h$uBKS$iNCc zIiIS%E#x99ML>PM@jDo!O*8kclRJPt8TXrRr7rHxy$jN#9r z*4?mvYAVZ4=AM4{?W==Xh7={!pBNFoYVph)z`}j+*2SmsjifEK{V|v?AVAarjNKty zczycmNipTtKCf35MfUpw6{HcjOL(NR8 z(JVap5kB?G_jjdI8mDAKf%E0^xm>nW?9@St2p1}6redggFUi_{qvUx5+d;9&eKNx5#c6hy4h60t8!rMMCsU&lgHkPqb{q-THYIJhxJ;? zV(yTJ1OMu^l-2P{O`(HSpl3VVOp{mDk)=kjsvA4aUS%%^8ot`LHJZMvc57?=3?fNw ztb?i=W9z!8`UqyN>ZA-Je{HUtsu<)E>Zr=|wA9e4Rs!lT9Yf`7F4ggW20WBX3u83J ze}4YrRX+aLx6co{_&>WS7})PWh{L?X;4sJEJH6&uFg*(QNKM0NN{tGJ1$ zo#dJXM7cj;m>(W&vZRLaL((dhb~H(Yp~zYd!F@2}A|A`X|4si)4;R|j2gpfV4ohZ| zM(%DemQU?4Re^nK8(A;nD+=~gzgs4ef0}n>H(`Lv-UIpcU31?8F`+LF9sl^H08Pi< zusO4|KI8u_VEAZi-T`F_`i!% zasD4a#sOQzvoQJiapTKifBxTod-S|J|6LT5^G99p$5dVL5vvekFu+R9V>ICZqnG*k z@6TT$Nzmc{9TXwIrZ_B)JaZHgOCtnM2O@=Vc=45m?cou7fSH8Qmq7NNh4 zkDWvHOHly{Uk}9RZ2BiUwqkD8wN7i}Ly%$uZECq2Rd%b^oU7ICYUPGm-ZJZ(mc1A> zn$)FbGxOY_4(*tfJX+;cnU>w#zQdwv?l=BBF0^8uyh6V}jwXE(>aZ{U7QTNuFRd%I zRDImm@9Q5-nt!dn8+tz9XJ1dTKK8l!sHzu}L4|=(A1xxjKSqO~(rPo8`N{0}wAx{= z8t3U8W4pEEvRme)5lf_fp>9N%tIKbF-6hv@@8y@IE*Vc+SGw?G{ z2UJ7+&1iO2ji*Jlsc=%YOWi2S^`wuKvcWJAPj zyv$X|Dff$$tg@RpcF0_!P+vEXC|fdGOqBhOXLa)Wb>U07okRhah{~EdL|qlMdO!?y zP~5Mqbwk-qd49{Rk%LxEGfge-Q8Cq+0XYBCWZc@ti2h%n^rzB5|GzjoJj~JmN8f(i z<$u{p>F9q{N>?}78NL69r|| zarNN$OC#bhRE+4qXcDhS`SDUm{~aD2zWDYIQ^rDLJX|RMv3q;n6@s8V;<*t)|dorCIF= zSZEkF4G^A=kG98&I|T&vAt&q+!XF)ajeQTW6OR>@g=zvOLHmvWY zv6ldmqhRwC-Gqyq`j0paF6m?j@&Rx!1Za!FUjQV{7p2$aX*`PxFNg;1kfnbB*RK^88O@dZ5H?O@Zxkc_^RP&4984~#riIq`Bd_mWsfqrpQi@BEYyHAM?uOvvr2wAw`gHRrB>N>;yRHMV@Vcz$so z56b#<%fu4dhWsFkoK22lm!%3~QE(OgHA6)&!k3nyc{IFPt#a8e)`1)>Dg9Lb-R#C< z`8DQ|Ik`MZlW1n< zj5Zo$5a?COtpM%Ld4ic3x^hMgryYt&Phz(oDke~SC&X@JY+bXxlpB^t71hG?MtaJ7 z@e@5)44di}FBUIz_W3eBaHlAu5!JlFq*~M6!NTs`2Ta>gT_d;Z6VV`DcFgylkSATB zhhVIt`f~R{)#yF(9dbiz#x$9`KL4LSoGiRwuU^;Ju3F1a9}xRGzeYZXp(=WhVTjaL(!zRc3K7+!5GJS$b2K#N!qDZR$q%=8n@UTf#CA8sfBr15CC zS?E9!sWRXJeZ^CMaDk2me#QW%%z>Kw#^ZgWNA*d@JyLN8VHC^-?1p*e^=}Clq@rLr>Ff_j7(GZhm4i@EG2 zXpCoOx(?@Q>YiA!mAoP+Rjj5Z&J+(1CPR^xVoZi1s2=1ykn}Y@1T5CC6-!_Nc=)`v zqsT{6$n7UAgvY}Ho+~2qZzs#)lE58ZuQXqU*n^tIi+FSsjH)GsDv5l|BGW^kCyN;5 z{+8FJjCZRpLNE~&r^v_N@@drahGiwItJ*CV$%X(app!(q=}b>im_;q-J9<$bdql?` z`=vDm!sBEYVlo|Ow~NurhZmvKBobQkG!^E^EoBriMy@`4g0C*yD&}F!iHEXGizb@^ zh!ZiOI#-Uihk>AiNLs$lN%(JD9?WUtOPI zfXbgvFP#q}I+k-W!7EZJBq%R$y2c$Fw6L1H6|1_=UA~fPGm2m) zX=4iEEeH$A-BH+1Lt#rsnqw!V!m?8V%Z*|QPDD2{(`|wND5zW8S^$=g+w8c_tu3d+ zi=upO+$INYH`r{;Z01R7Lcwu?($_r&Sn*V*Ut#$hZO&6&1Wud*8T-yB==u{^tjp)k z;YTOe>mY5}ygNv%mk!c4G+7JMUb2YIJ8)Z8I&j;8+Ya1z;I^WPF}Ss;Zd`TDepm*R za_1zy*xrE4^EX4ZNqcn!0A(DaRQUA78PQl=P5^r^(m-jp8p4Pnn;47?$c%I#BBSO> z&KSzU|9R2~>*t%B%WLJxmI($=5_X;eA;MG!+BBLk7UrritPFd+d3}v?p@4^dZMsvp zVKisSu`_x|ngFKpl^e6m28%vf3eZa#?MYQedW<4NmGMC~3~gm;WriLLt3f<`~E`7j%SSWi^d;E*%w{&Ze!*_Gsk&~XT2t3(mH;$IY*cD| zFH6?UmDjhkI2LVA{ct&H)!^8`!nJJn(pHyiNtk9YKq>d&$WU>>{8kNfqbRQ3=JE;a z>KHb~`6g;V`R-m_U7u`2Hxqi3v4n#sQK=_YS+OQTaU2S&fZp)rNVlz#FpJtYR}#Y; zhEuaKwzV9?Rv(%>LyK0K6ESQj_Sdkswp))!`Kkd31!A39=ucv48Ks0jJYSxIhvq;7 z%X*5^U)+a_Gh_FJ(gh*`aguh{X-qr8QYTpI1WS#5?M#jjU`e=Pwg>0L#q3~R2kSam z*TK4`zP1kQ)-!9&Qh&Bhb3pYAiTWdV3Rkb$;ICBXa7B$ZSf%8_1~P?onvExGEVo%U zutt5g-i^gH_ZD8^AFl1hGf-cEvo{p8G5Vr18Uv_A@*6#p0|vH0jRiTSx_ILmpuW60 ztCF95xHi$^sO-G=uz!;~nU@eFd}!PrcT#@j@9wYq1NIFtvb7}u& z7ZM}LN4VfK_uVR*a2ssA1u?iTrhbG(V9NxcHGZ}s{B}e1t+fOzVsG8+^H_|DeF0BBhe4KCnl^S-}F7g~`b2wjOyxUF7($vx+p*p6>7F9(m7o&)7TIzLO? zfFX^#uc+1i3^J+CT%rxmnY@YA@b~11;&-L`NA}p82C2$^5l)P zhBfCxt!@G~$t}j9g*0(6Y-0SP?rscZ9 zSo0}{YgwjYZUAKaIN#IZ`WwqqUUYyD%{N z!iGg#FetJxBw7oZni&qY5;34vL!lkT4KTdikC9GmgGT#uZu-Xbo1`)9B98DzXIZ(Y zWK{WAo}4Y1WHR`*B`h@FSR(I!jeM)+ak=c5NUvoo6PL@{RNj5d?rI-(W?O!Q%KC{j zA?7CJiWvgEF;dh+9<^n`yr}M_nPS(f#D{t@gz|O*4rB3#CE}p%*^;`3yH5=n~aTNWgqWAGYx9XRX5QLra%B+#-;#ZI$p%J%vuHl0BLvq#!A`s zQy5NtSHv~B^jU&lD38gPWF{r5 zd0gIzwy{BS*w?O=Vemc81~o-k?UE|SRTrkHIrCZ+LYM7PkrqjrCthw5tGFFWr&;i4=uj9EFx!w%ct9)3sFgl87`BHkUV9ZdQB@S!Ft}S z6i0JC+AeKhBYf!ce{|A^vUzvX2fcLEPeYS!NFQvJzNT@>c19+oyd^6o8OT0P5)G{> zbeER8T+Atw(^BWqB~}?YXX0YwWs^atIQc=brgp5~ZHSv@bjIGuT(NWUgPmFj>py~6 z^=r{fcm;6&az&zQn^e;-^f(KzQ{r@FR88r~sE&-vl#YxdAx+CeeURrdm$>Q=tnP|@0sc*bHLm5sZeb>4qx)r6P{!B_o{dLq|rhHx0pOb?24$zjB4$yXhwga>s zpsi@Ktm8G*WEH542sw|Jo z#?Y#IVrs#ZxjK}Po_ozw2L&H9WIVQj@J23++-QBPtB$oQDIIIou~u7KPKTmI`NOhS z7U8_-VdB0uy%Z|yn)ru}cIt|T(l)y+ATZlLMF+{fE^n_Gnh#dj>8+6Ux)Q_FfgHd&> z`#xruLN98)$fudSjqYc7^8xew;=T;LaJV`c91RYKNDB;~lvX%o{$j=s2d5`;8c(-C z2(25xR3c!!a6Hxtpi!8lghndrJcS{IR|5!l-w6Z%K?Ep6EpCsamL65IfNpYc%G+O9Q24CQ;FEhvEp$>g(b59H+V^&U^<_8CmZga?)h9$sY7ON|?kHU@K zDM7+FY|%4ajai&VS)>KBMFTaZ?QE~DADA(>*f)KYRs?~82*}(xL4roa@_7>#JCyc z8r@bH8V{Uz3m%2ahk7_hE_7$w!st=5U@`=72wg`MAW8C{@p7^7JuQz7LQ(*(GW>%I z=t_1))Lf1H#Z1F<7K1Y1C1#jpF<#0jTuw284A38mx5@-B+D63pTR0Fm!hKm!QSxKj zURphBT}oo(Bt9mpk}pGw%-m>7|2z4NbNdUPYte3|pk|wRKG_hMpc9 z!L(vP>#>5@q8sPk>BX7wX(o;!4T92ojCJhadfLB=NwGl0(%>`BI}HhQnJ*Zz+|=ue zWG{U44Qk?^wWU}Yhw}xClDXT=+Sr1r)3j@O!FbjgZA?12<^#%vPrqEoGb5Rt@u9lG zIC`Lk8Q5LhZo|3Wx!ef4uZkp)6^Kv}#sO-(zWDAad4O5IBfH(n3VfBwgG+o%h(Z*u z`0j1ujC>Z{amfkEbzmV&jKtvi%?WiTn9_Cb1+Eb1>ynlMObHGt6w(<33O!{+L;V2$xua`S%k0D0=Q`oT2^{)57soMexZT$6+$c zJ-=$u%^K}0Ds+HCnoQh9Si7@Xi=tvSp1gWe#0&)Hpj0IjiH}f%5`xH?R z!9=nobRQ-Td9P`Pl{pN$4I``tYrY(^C}UDM4qU-HRHp?(y@aU=&aJTXDPii2*!T`J z!@{$gqg0|Xr$Aa@zv+DUQF?Uj^u)TFCBVE`V?pe^IXSK@>+TzFlAcX>A_?549VDq` z>?Vl~jkR19>@4*|2~5p9d08W`()kdP`etjck^VP$j670V^A6$jPuI`a6aMbh}@^)-DHPNuOldLY3w zUQHfvPxnFH*RAk*xK(E9qgtE_k{WY2nS~|?@OY!Mo~ChV$(dK%mI5V^vLaOfy`d`? zFY9g{mJSzpxVXc`9WJhDV&M_7GoCHus( zLoQ^^=5`V+Px`?-C1dC8H*=93bgN6W1L1-}xZDUNU5hZJOdJz+A~heMXa-ljt54{} z_=k#PtF}G09u>$9<-^jDlq93+j^a+a^F;1l~)u(|$Z z1FM`&xK z)(fg$Kw{exDz0V71bpq5`LLW36Ed&cvtNScY}IyY7nVz01BUxV9DlX?OY!r&Q-M8R z>m-fcS0Znu`w4c%=Hl;ExYDZByI%IvSp#*V@3MJ!qHn!CX7cIl5`AyU8pvuEW{Ik0 zS?AtpA{rC{6In5vDox zy|HI5Q2YvrNnyEO*lAX?HAq2PnY!nFjb*45ZtadzGR9Fq`b{a*b*vID6HeBeXL$NV z@amHc9U$I5jS>c~M3HJ39tjD*j9_sS8=@E+;+Day@ZBgQfbZztj@~VscSrB)rK5Kn znpj!ft*J_C0fp>Z^;Dr&(Xq#VX$^txI7N$SOo!PmqO@6#xVmhsXs1gU+$9XQY1SnSb~==rDP6+gwP({$g&v0W4ZZiRX6;YdVq3DT*U-0- z6l*DhS`B3cH2C60hB0Na;FWuQc5=BhE77&|mbllu6;hS$NsF3GT+r48Q;*r-MBP(K zt>8u*4@hz3rA=S68m{CJjfd)-R65B;<-9w|g+Y!0kGS}T+-#y*gT(>5td9Qw5l*3N>UO!IoW5uPS~Bc%onyA7S>y1BnB?(ZW+ zX)U9(FPE>nH59hvY}FRm=dq%!w$RmDf%T1`m3dAe_QNumG^@yMj}VjoxxqL@;os?r zGonEh%33ksn;^QZz!eH#e8p2pE%a9Qq>N%YsF4 za0yQ<<%wGZj85Y~3m@1c>Qi-zOj7`REYsDHl-%X1XC z!w~=elJF8NOM-wjkv%3l;tSh%LV1}vqL*3i?Q*bNNtgS`OI+zN8)wWIn`PqA4Prm8fW?~_d-DZAD7X#LgVYU^jL;9mg+QBQ z7C;lYF&H8oU@V~*)OC8z-ZKPJc-lMY$qm@ZcP9e6BlK*(*|Q{B#K*(o{r&xbJh$QT z;OPy#a5xFa@lXbqCDwHqxeH&gu}_%qhxZ@F9>VHAt~~Z}Mtfj%O-5k|J611~G=^Qa zx8tn_lzG+|HPj%bk7F(%5SD+pE=wpxwm3$9kIsXHQkWv5MJEi}mS$pvH+F-S7li?) zaiq(JmH=UtAP9kxoHtO%>x-okNOfS@nL!T(D0%(t2 zfUb!*j!hyGa7qG?VB!H&3nvR*3NF{tU?J=SiJM>-T?WL4z#oRM)C)LEfgSM|>#pET zmW@Je95$Imn6Fs!J331vHH>n> zJo~HrnE@Vl2jg&l{N3||gWlk2Ten+0_U5GtUGD06%MakafHq>E6nHCzNgBxk7s&Nc zO6T-ehdsxDP4BIq1Jsk_O|aAKGK`3Gpwo*3neO5MaRc5=6D>Ev#; zSEG}>HIz>B)=A!)>vfVhBgq>V&@{plAhJEqUS3+jAB%0u+@YWOq}o~|H?XjR=#r3n zV`7_O!TZLx$&Rn6i9mJ+xtVOx!$0CMFm;yBOzN-DP)SkXg)O6iln23R+YM61kbm0XP`Diqw|!7_|6I{WL^xNXp$V1HsP5gnl{dMf+tS_5y;T z&|vDV+`t4(7`k-W*|M11RAhEKm8~KtBGPc%Y$X;;9loX2Z!Tb>u=u#uPhQKoY}BQ_ z6|9vF?D{5(kI-0X3)Zh|m?zpp*jh&ZS|lH|!>co9zQ0?kBBu@;D#7eF6)HY3peH^9 z=X*B_KO2h{|3@M&8nqP1{UvyztJ2y3XpT`HTjqez=@q6ndrfbDojc?o;S^ zFvhO~zFC97O^%O_UOfG#t=qX?US@!TULd@kbv04o0uGKbf_&akolP+(X_7mH7MTbf zEsVV1-N`TR!v<#CGgs@12ow@0KHF6Q zV7KeTWW)P;lIC>~IY6YP%Ts`OPg5(m+&eW3Z*mbhaR%t^i@erkij@rr*SYU>xS_)h z9d2kDH?(9HVlY}`6*3*Zc1aUZ3BWQJ=~p3dRva5ye^EymHwo^+E%W?JI|LJOIcJ}* zcz1O>q~*_fQD?7XmM@1k;sVXo0I${!YjArScD?@i`*jR$ZO>>VxGdeW5^?l3GT7JD zBEtoSBcdQC+~hC|^{7qRD{DGb%pFDQzRCk_&@Y%FS)awpO~itj#zOH={R@*f2&t$( zN|@?JP-b9bj*RoPVPs=T4~v_O{|vjTz8uzFHLLNBIx>NReKGIaDz)lsV<1^2gRJSG z;uC*B$4(Mu6qqQ|!ixd$(T_79mLrK_a|a|2&H3lQ)zAHm>Kvh3bQ=20dH!kjQ*Ep> zn7au>DsO;pAo6WM=kvU60+C71$xr8{E5&zGJqVxdAbsn<{f}q=bATpO8BiUwp?QPV;RsGow_1(I zGk4Ci#|_{yIJvxd|KhsjV>JRmBXe${&;3xyE5!YrU?c{g8#Br9gLr*4XMuf@%2U|- zYMJ;LnGBLg%O?`!VsbssH59^G*THqR@ZMKjKbsJ@xFM-Iu|jdeSQ&8~ZI=l48ECyyvx?Z@%H;o8ndMKtWN`OgjMn($a6VrKUh*)caMIpr2`3Z}C+^Dihp{*9 zvuHd6WIRSsq#+zZpB5F+T_4ORPZXr81eFzF|IQ0aLA}XA{^Ie#U`%u_tQpjK$=E4Z z=hrt{jsQGUVV9TQ^ZJv-9f!>$^9WCP#Bd&32=vKWfTwi_xIOohSoh{D@BEY^c@ks2 zKp0xV=3WF)bME@5EUpmRZ24^Q{Ng?yl=bOK3{!T(^+fB!9b1vCP(SmUp&|)v6ur82 zTD6KDf~{eAMVNESIb9vlqAE*@u~I*`0pJ7QT`_1y7OzmN*mgaV*_`_?j(95fK=d-A z(6nl2FxHJqMygen$yHJJS8tS5puT`%RgOG|Mhd@NA3$^lfk%j%Y;M5jzLOL)p+b zdLwP$yQc|Z7E_!jSKd6k$BrWO$`>J^R!F79*^uQVARwq`(a(kg>!OA?sT$fJo zVJwy}n)terJ7&i-<2eX~4`-K(ba9NzTBt}UMa%8{%pxb5X6bShhs?u?)WHjesb0G6 z@6uvfX<|7Aw<#6cX$}RMjqQl601qVVxHvv(1UAYhvwv?uOP8g`9l`)4z=xVzt$Gk) zsbe;li4uM5Mv7MEAO8;;v91w5X8!r$52NK9?L~)z{P9iWEU{NijG_$oGYFz+$*3cb zXk+D~+~BY{rH{5{YCe+S*5xo+=^;x!<71##qNOfMt)aQ7amAo;&gN#wCb~K|xT^U9 zKc#FfY}5U=QL6+q^W2m&`gzrk(HXd1Wto&T)js_IO&8TndFPg!vic2q)zfJoQaGH6 zxNl#Gq_UGYPPTS;aJSnYl&>0FBSo=Bic(4Q zTWI!fPJeOi&Y2t~8K%9ojp8t7eF<2jw(NZ4u)N|pBR9Gp4Kk}e&=*_OhjMbrjOzb? zKIiE=XzN-&rvZ=}wszS#T1uJU6;bG7vq=nW!tNJHQeWb2z4Tx-G+$4|lma*B7XP`` z!_BGw=QeHta0|Eb^I!MBvp8@wZcC+^0gO#Ea<`e~C|!tI;?vm($+3uq-#|15+k}UG z0&_^&wC}8O$;?=YLYW18o&L%1!;+T2NzMk8Yaex#wRI2(OI1Xlwxs?2n&qz^N=g`e zahV!Ym^352sn{X0+PfNDy_pE&k4B|R2B|p2T5Sgym%-j+yCubEZT40&zY8>g8t`fr zO0k=1G~P9Jwx<>}8g>Dp*BhLgV*JNViK2sAJwnVwpu$!g1U{|zN+}{Nn_Ip5jPu+M zeeO0p+uHb6Llh|<$P6J3p}bu)sl!_{6Qh%> z4>6h|RyHs-8^*H2^to%hLmC@5J$N*AVFf4<&L@O?^O0gHN|EI-%69TNXL{;#LY~l{ zclRc!a4hxx#Rakovz^PH~}ecM@+ z=lH(?Wp(NUX0|DmGhv}J9YU@AYDdW=Uv1L9<;!7ASQ)!9c^Tzw^}x2IJCkIQ{DNQ{ zvLxA>@U>INp+APGv#}RDp+}WL@~}wD$ukUaj+rw72eH&h1$5eGAVtx}L1xWbDCxy@ z*&D^>N5*sfiQ2j+`GX5k2((mmP{1$bjngYJ z-6Pdn1VujXcW1z>Y%sp`G3krW`%qBn6vQH1z}j;Blp&KsH&sApFEMMt z7nvh9^Z>Ww{J&4o3(K;4xEfP&;Zr7lQ%u7bjchj|Gc&vKOVAIu*2EIgO^-b<^nDP< ziA~DfDWd8B8Css+VEJHmDflCtQ$ z@7@2t+0LA0DGgLkqP!n8f#-;yYo}ii5mDZu5x?X(awm#+04aSqENp1vd9r71kk-O1 zTY_TPiC24zZ}~0?k7Oh{v=jy^Xz6s&pP5lP?|^+Ej>%>Y?B0FywSgpl7%c}00$z@e zp6_nG553p9Z*_fjnfgJ5Z{#aB8GRBXAy&xkwIV$%MsmujJjZqX6(R=FZWqKB{`9PS zPz#n^vUlnZ+-I6WiLAMf0Sh#TISYzF{o9`()jYX3HVRMp-k2S$>@6!|I{$7AJKE@x zrfY~=7fcJLm=-q^5V3=c$psk)G^zk~)Y2pAorrnE>OeeXTf(mX0SDdA#VBDX%I3kLPuMY@U6 z(^_It>8_Oa!K&bcRc3VQxZb+LeA0y_Q9n;vfQguj~74@~0+y#f@N{~XFj~l5vKosu9w$czI+=a8;6t-nJ3uk$1wM`cH zM(i5cQ@Yh)Z5=TK=bkc~D%_egKb0zvc1dFpW-^7BK|EY^4n1tTjfKZ}qEln#6izuY zdjJ4URT4u4Vcj2=VVEM#T-GBHdtYo2*yIn$Fuz2U#W8KL?2M85up8Soz$nw7G2Zq+AcKfb z%v?&4_Pudq+gIv%{B<;?fzCMlHxG9~7JWX-x?Ull_0`SwDA5B@&J*^co&YyXy)Mxl ztzBw>sKI~YsnCUUf{)nG(F1XO*N%xai z!|U?dW|g>XyiZjx^XDl>w;}LnPj&c(`+f^&C?=Nczx7SfV=vK3Pv^>T`38<1L9_UT zAd#^mFQy+m*=Lr4L-`@lI!Dyl{aF~q;7=o;J=ojsS%jE;YOqboS!v4MRfu%@2AZtQ?}-97yb=IvkCvTt+YX0(XT7Ub zoo?)(iO{MnLTgmao`>_;~9ynfkTfNsLIaYJ;cUg?U)HFvk%<&#oJ95EI~ zd{FW$)eoZG`65F)bxsK@x-U87DQjxVnktY?sva*GV`DRgEU{7>u=yclLzHUj;$4Wf z5+aE;RDpZfP{RgZG-i7F=Pyp@*yMu<1)V-_U=~vZWID0N#mR-RD<3* zpMlc#p?ygMf;l_&t7*rO$#BwpN+#HHuNnBHWexpo%P3R*1erw95(^l4feUg*c63+2_im)i!>RGdKbSa)*h`9QssJ z;09YLazQl~$TJ_F=gV`l&iSuK{5;?$T=bfN>rrKz(hK{=A?YlnG*@f70A4R6(4vTE z`PpO*(S|~vX4RLxTA`qd+1L?a zIw8Dmr4yV6Z)~Q$RwNt!jrV0_RS1p9gainWoQ83i(NG{@)B8~Yv9Hk6WqZD{;d5qD z;}^s)_|VaI>`~x1(%VOAE>7ZO@F=rg#bQs23dFE7)CWJUi0{WdYFft-;>MqSHU1G8 zvqikN(IMhWE80PGEdw}w&~dWaBW^H%D85cmug?-49o%P0!%q_il#}Tsq(e=<7R-+9 zNy8P?D>&OqXo9)vo!rEe!AE+5valo|j?#nu>bFKOC4m=m8pgM=)o|V!kzWKci3A?Nnt~+@#7|}q>!Ep|F zKE&)1MI=u66x2g&&h!QUIZzk#Hf%CD>8j1<^Tmz9-%})mld7|~9PMz&M&2$9{*nRP z-U*<41SM>`hoPmG+qLWO@trAnNSua~XcMP$9E&d;VUV^hzQmP+@glE9iOEQT7R$z? zaMg`U?TN3!$hNUx>h$g?<8@Z^B%@|E z?U4+NH|!9fgCCXuc%g*s8>1|m9q zDJFhgYYim;oqb^R(>E)!4`Nn8^(aJDPI4B=YhV_{LJaukh&=;}#_ zLFFl4-I{?OZZqfS{OQmIf**z%Vn&ZLmhSsKLHYpO znHAl(pY(kvs*_i}cO6?C#jF;VtN}7$0cSPkMH@D0)66BzZ9#%c-CBxI+@MdY^<$cG|7a)YuEomU8Bb|P0Zz^hd;Rki;nvqPpd!h43z#f{^Etz)3e zgvrsoXk>(J1|kDPpa0@)`ZL||NK;fy0JVKJL_ihghxo{s8Av(Xqd8NA)kJwp^lZYd zv3wYeMuGIDc$H-)eK}O?=>0UFX?YA{mlT)9A}Qfg8IGz?T_?!Q;a=EUhJ-)43{)N@ z;+nA{i@a`bfFG%Scx!1eSx-mHv%V4ykkHT*{UWE{6`%@yER9U(8$s@R??#}2D%r;0 zSXjiQx#!doX304`G4>PA>F_ZO#`T5jFO5CrXS|;%nnp4*J)A#y6~OcNG5ai8sUg;l z^aykH5en)V(l50|@l(NFD)HkYmH12Ylb!fWGCOW4a-`lxM;fm3_^w?RZSALH4^kbx zI=y5>YLL~8MsL5#NZ0B&zX9$Z{UTvKa7H1lS7CR14W#D;$WSJU4p7kF?Q8Mz-U6hz zvLD`f#in3PK*a0!&ua#1vEh(uw@lYxD@cDXqPT{3i4gX~! zeD*_LBHs^wDDoft(27FF(GU~9+E_z(eMaVdpE#QV4|aHM>U8ktK{~x}aH?Kv+ZcnL z%=U2lJTboe9Bx>L?EC!&k_J2O_n*hsJbB&svH-qNxauM~3Y$qcN37uS!9fjToe?DB z{P>+-{3j6@xmxZ8@=`xEDLq9}6`@uo_w|Ji=DzYNHv^SnS6j+Os{<+uJ!bfGP(SL912J`!%4Hi*`nyV24RD02u+W)j9QyE;GnU|$ zfxz}Q2V#91mYmjoZb7avUUsG4=stuhC*EJRl#Dr55y?nLA07~M9Wt)`<*)e(%&AzM zVo3(c6=zC)0GF@VEBw{4+~T%IReYTnr9SHRM677d&~wWzF22*?6RK4+HA?GV7k;iKc; zpa5DM8OiRQdEH3gL|2k#)b$Li@Fr_#hIGho+0Ulm`dXpx)bblYRVMmAF(d(J{f=x^ zlq}difJ05S5}tL?@;I>DT@-hzcYbPea#i>G>6!M)f2XV1>tn;-f+HJ)zoJ zCbQy(U8UK6(3O`ridXJs&=oicGfdVrf1{^sbPE^S42^cUgN$bB6Kn!GEx(%1q!jDo zx(yd$+enJJSO~)AurODAlMd9N_m+Ste$k*cFrrOSjN0`X@Rk)Cv2`F5bELNC#RIk> zK`Q7Z&MygMvDF>C6!VemaWx8)F`9m5z^||%Y57^KmI?KXD4`8nC>$3kZ#z!5PYM4h zgIebSk$1cOK9kUQ=LyZjmvtAXvpX}jBw0;8MJ{tea@vukYAMZ~!rV^a2IHcC=;tMX zHMkjdhSjh=jpdcK%-}ia4U{Ygg_F#s%F?oihStHF2UTUXsmo#B14Kt+(?Pn?X>!BU zIpeda1*4PLxQ_U5h}de9pwP1Ux1niDO#7i}>+; zT+q*}w7`ftMsTtsLpZJ@0;R8-34eQ)D9Q8|TN(P`l|#cl)OwxqS^PN^id9X7D-vq>Ak9hXIJHDr`K ziW#KJ@cj&7l-j`sG-OpY^23Zi-+%cM5}RZTVRt3axtgI0xO6U zK^}M=3gNn*V_QWvU0=w$ogOXsV;QHih$jprq z!__4ZY9@?WD%OEei}97&1X!Np%>aC^8^wvINd?K&&yN)5e9QgQzzz4;|G8a?O|d0U zU)c9H?1W@EA*NCNmn%Iw5bfm}4^dkqG;>ul-9*bJ7ZVfYwSui`4R+}&;Rbt zH1D#&0Ci+7lcZY2^Xu>rCbRKsn`PWupuHiVRwrVq50LDO$AWhyY+~L=4_Gc$@p$!* zL>b+;VE@&$Wff%Sxc64Kx5)MuGu>8TyPoR$MIW1dGZ%@!N)Mc_8$+`#8sn_} zCp|!bJyLw#xW=8;2TkbPZ+_BRVT8J^Mn*}OK9%+lNO4*=TLOCer2BL~{+RbJq2Ob- zM(Imf?Ksg3#7z2fKy^s^lxq>yypBI$Yo`SefeDDiz|dn8mquA+nO6K@K4kU+dQqrM zKy3wXrh=|9Gfr2F^TsQYyErmgc}otoTbQA3?}xXn$cAS=*g}+3ol2`m+$zY_N9|#b zNKSU1tQlJH_$kaAi~#^#IShFn>>0KnAP(x)fk(~*fAM8euF$z+{%;i6et2r5jH?O7 zqpErg8eH$q+2tR6TTD0d&Utn@288dNDuK@3anb}p0fxr{#A zZtoz#{isiO1^<4S>+KF9(@LZ_L&?&QMCodx4)Gha0kG@kliq{1CEsm48FF{^uqV5? z43`p5jBLc~hktL*d8#&0q=_>zVA=PAQHCyOiR85Xb@GdC z?X&R(+I>g`l`=|$5^7ivsEfK8b1@|#UI|lOJ7x59RWLH0OZKyas$cu^ESnIThKP(N zHJfZq@+>qXL^ln>GU%wBl~(PQEwHgRdSGYLG|99LK##ViE(%Us|JsMVDM>>QE1^nc zyJopZ6U!q9?-suaDW633y~%i2pjoFHTwP|?N?`w@R;q49I8^-w)`&}2;uy}LC3%cA z+lR!J8YXs$l((SLlzzg+kWP=AcF}XN_EUL0C;&@j%Tn||V=-3(>9c0kV%8d83Xrgj z5!epFwTvvzsQ18@F?4~7wcDfXTbmru1d)OkQPuaPtb3*4USY=Rp(vOx7#D9C!m?WO zH!kONW6hjw+@UK2f$)WyuPku^I-9WLV$S+u8BI7m+$%t!QmV&cjxFuG1tDfpbfeBr zo6n?K5}<6PLBy5|X|oGiCxbYH9PRh1ZirPkYcbaR%o2ucpw}!;>5p?56`Um&D|x#_ z>e+C$Muf*GfV@+>B-bTCL!ib$yY0y-Y_SlqU>`>vb)9pm_Gi8woK%9*!x74i203vI zdo@TWpdG~gkH#DJWS{0nb+}f?4GFFBx-SM>sI=U=*~B7ggIcKqx;q30 z=ySQgl&o~1?lhSb>!2WvEH%@?01W(8zFqE)8kr%7r9Mc>xaSdCHPy4kKY{FOx(&XN zh#TA$I%01;uxekky4wDrW8kBQ#AcE{CxW+l^pL!N0dH`wfV&>%`!YC9{et`v$!j5q zqmn6WIft4;Jo)orrn}&8uJC*8ViA91MTPCsL#mD$a&_}9HZK$0jmU)U0V^7C`+HV5 zZ@H@Kz%Zz9RlUD^Ub?{QYwZ(eP0Qoki30_4Dzc!_r46Z(M-|iD`23Y!@8Z60=sLa2 zRTMk;jS<>4ElN1V>AYjfV~EHv>@~`m4ZQL9b`uM`ik`B2->P=TRhujtZ=18Tc}Dq< zz2VGt6Xk6ZnpKH8UV_ASgpBz;##Wx^w1s&o4KD>&gQ)JhX3U=vRVpV9jIatAIL%?H zFc^WY0c^Krwn09%4wKXT1HAQU;VviUos;0 zb}L}3;RK_N1aXoa^aXqNHQ!Jwr;CTd?@7jdw_38^8b{_UsPVS%14wx1yZ^b#wPa639V=t9%6q-olR;RAp!?1bAeadS>?gnyiFp1f2zITn^xO%%_AblCC?aOUPL zRw&M9QaHg?i*%ZUqsPXA(cgxq4+6c+H%<1K^>m(_%gD_3?Ow&cx|UQUT2q@wXc+`j z=LCoiAxiz(gLPN$yeh=@jd^r+Q^e28Pr{Ge?80#qDbCGsQlUEB4{LeLaGk0w?on3i zWY_xfuu5VjoR!c6Mf+t#9BSsJdi{3-?ZExG7;M?D;31E5{<|S$>kvo>9C*y)f9tkJ zb!yx(9eaPZTH*xPtQ&SY-tA`KRbZ2&@PI1W=^=l7?j1zqZA?mUQmbG3pqI!B^&35O$Lt^CGy$mv^fAx3TYArb*>~gdJIN#rfHS2|6~E`s7g*uh z^oVxV9ysDEn`PSFH#UQB$&lf2!~!ouuuuN85<+_-se-t7ep$;VLBV#R}7y`r(U3 zx<5NBa2DvMs(gY)<$_TT2`=i$S?=Hq=|wL^HEFCfL&T{4H${zf5xsSY7Pjdg<_a`{ zMFpB)xys{M2SFhBP%VwX)YbLbE;n_7sVYT*se^O9QsZAPQ1p~Il%P5rIOqUSN1(e7taj2 z9Fjl3uS57G?-B`*Bwo!=Wj6BIUrS(L5dYpHKIPNXd+?-@-XBSynxDo=g=)L~JbRzU zMT*p4jy;KgIXd9$)^JY$Z7PPl`IqATsQRxIZ_~8rxuXO)^bbbsrk?ydHDQd*z87Zt zKmemy*rhZEwhMDKqgQrplH=CA2eiWlxg&hl2R_n+gx9v}9(Y$7p2;vBi;KdOBD{({ zF%#&HBMRLI*8s|c!uFHn9Wk^_5W^Z@P->|e_4-@$3eewC(bAJ-FM(gp>0sW>nkoD&v&C0$_G>h}$FrW@47E~eH;ywMEs=7zhMVzY|&=SHWQk;+a6gzpN)yULHT@B zF*iY>7EN<*kmd>vXec=}Wgf)J{?u`WR;qs`4>B!);gTj5J;LI0 zHIT*Q!GKpeW{-N?I>LB zd7dlaKwmk@va`PLO?b~7dExJPRRtT%CPNw`wV=qs1A|~rc-e&%;uw$xi`j21tj}mO zOm3O3|7bClekO2%qgU0AT)^bFM?^KaGJ`KBTCm!{i8MA%i*d9a0S_Ta@8s;H4#&Gx zuvd2N(kb!DmkLk8xOf197&Q8}R&P76QZf2Sqvgcs?@*N+=GIY}R_4KrpCmf0Z7xEY8Q>>t^Czk|V1W`tGZ$8K zhb0Rpr@9K0nbD?c68K|QGVUDK`ylQjg`9$~%xRuR{2CQ{Q55-JMmdnEJr&-8K&@hd zH2EtB3fN4fJBlZ%k!|o!cAQ?tp(cwc37%>(M+^F^&C@_p_?-HJrF<2ukf5^f{jhQ{ z*O#^rUvd;f>=Q#mJNP`2Ga{^lHBv145V^NpZmwRW!yAhfMmwBnk>On#`hQt28~@94 z2`150N?rhhT5UWl6{^fPjQyO$V){+4&=5A{l(tF4MUB56S|3!51Wbz#jc;lZY>N^c zw@3=D@`XPpZuEDpO)S53JwN5je%+=aO0qdO{#^b{Ek<#9)>^}CqlqR@Q3$^OE#%dz z;{S49perM9)k9wTy)k5VBGK(-g3@`Qt2WN-6UVbPTB?eg2RgSZl3w=r`i*>Pl|}^e@<`WbRzuOME%<{Ezrz{%EkwdE1QTx0k0r4<65N>Q#7-mjGm8*glYvPAvkY~t$lG>4}++C>7-v!&t7$!3AUAO)iD(wA}{h0=;Tq=71PsY_Wiu)i8o8NLAD*~omzB#xgw3bxi+J4vq4&38tvZgy;kX9+?wt@CmU{f28Ld{UcE?cf z_|3n)p{+wqB-3Yq0_{E>AX2jp04$zBOaP7m7Y$77MZjJnw@8Xa2zbG01-%Lo9}QnL z=92va2r#)3-p7!r(15w1*VEr8s~?-zri@*aM~u0s_b`)Iyzs&qwQ7t~)e(-Z@f%~n z6na+Pd|=KJ@O+?#R202HUmZJtG)|qW0;Du2sVUU>BwUUesFsEk+f{U$F!(^ft0W7LL3jIowu-!Yfg5u_af^TafK;Ly2Pp0WcA*_rZs3 zzW^!KVeAyz=V1ASfBr2-;n4Z#rWuL2wea@ZADN2LN9*F@wZw~*`Lytx6$zoecaCBe zYmbL7>c4knaEh?8KpxE>nr@f?Mm^DF=m3JjYQfp5%%Ye~-`RX<;C4x>uA#YL=tI*$ zt8 zTkclG@RsLJGNSqrTq<7C8Yet_tU+qqu;DIIPGqR1+xO>scoIUju)lZ+p};-6H6IvX z*SdDxXAl?JY8!P6(fb94(;3~@st!;=uM7wtDAAj{7E~!h9*#FZ5W7sDa z-Fa)a!}JyySrczs!+TOGcI602(Aa34Vytqp|; zO)N0D2ELHa@3#}9PQ`y4JoJJ8pTYA&{~v<~N9X@x@a&?(a~?u7Mlj*nS76X)rzVsE zwd!eJ^n6YLz_(+ZzPz*_gM)VpD%lzCuV=qh>YieEZJ?YNpF#@bISF6d4Zpx1Yu|fy z!3-F09J6@(SYi#Mk`R+I=C-H)EJPDQL&pd88dwUW$q@Zi>HlSZD*^MS5LWE{aT2uC zH-qsN_c4HKTUzig%gL5!h#j9ZaI@Slv`O$)|7Ct1cUs%xAD#grB0GJBc5Lb}u&403 zb+(QA^w^8E z%MHKyfeNm(rMuFe7&V{>NgzpTf`o5K9|GV+%`4|A^2X-yWXwc8hZJsHG9j!@rp?fc zb)KlAS$Y(dHah?#Gw5SrOv(-!(^-yQI9XT(W`)JAul{qOwzlRnsZ(8~#RF^}6Pslw zY_7MA4mTRQu1ASch-`W*&0)Kdxl@aObFx&nB1oAQKUU8hqEa=T4jFlasYVcDUt{l| zcz>dRU?rHN1LO^i@6Z54xtUiTJ2^-zsr`7_n5MC zJoX=gFso2gD;#5r40}W2!VkST_cS{qw2a=)&PM*-ZgBQh7_nkKMsASXv%%JWsa{6~ zqtiRZsFyy*MO{rI#H!|uL(_o6;ruTrDzl^?al808B4>fsL524+w@CG>BA19QwA2Yo zr!S1i^%M&zrgXz^=U&+fQMoyu%MBrkRtX-F@vH?As%P0rMJVlmgJ~ZB2GgF9o8>0S zekK6?xHe{XL*UpOqOdiYh-&o?KkU4IL@%v7+iLf6=QOs}2EzrjGu;pc_!U#vF z%Y4|pa;pl`x$V~6KGZk zuR5ExYLmChmYM0NL{WzDfh;>K16e~66L~2Iq^zX_jM3oXvGLMo)W;io^`@eiFEp|? zGw7*9LWvO`^5oaN3H9C$YbBM|5Z%WVy=iPwR#v>ddt{+p{Z(bv4bEzl#kZok>A3}6 zX|C4Enu&IXRw~BJO7nt)1r-;5>L_ z7$deXw}v=1B0SKEvG}2V??=QwSU-Vk{+?KqPeV?>yR#FBZ_k&@ap2ExbseAgkM(XG zyiP72H@HQ(o#$h*Y2D7ZNJl-sfj3YJUNp`r-J>nHqcFqcD;4rgd{8O7jgxh34zK3WP z9tac{M&auYV_%BVK}>e}{qiyS^6_Ugx$TrCmR(?lgztl27s6LZF_pdAYY(_R|8SBm1+SLnyc>($9)87jA{S&!5ohTgD-j@SzOf(ahsMzr)fv?RGRXMyS}e=bkvkK*TyLN za9OC%HOGL_49}AA!VE4z;zD*m__LuXLJ6wu{67oDODOwPZvLTHw5C08)Oe0)(uMq?SkuSRtINb>KPIKqFJ0@bSW013VuCLEM!Xf`99DRjG( zW*v7LAX#BuKzU%Wi>P_ZR*Ui(-KkA>h!@FgKEM$vpO?j&UpnJu)ee?W)Y-xIcS|x? z{U=p!()M6<-K>MeUJ{@jzj=Rcsn|b$JU6Qrj@&b?(f@ifpX&E@N}%6HR~@3p2E$10 z1Q_T72{x1dR=e?a`@>h9Kb7>T6*_FT_YD^V=kS5g;1`Pf-5iNT-w6T=W7h>D?DYCX za(IyROxd-^w|McF_1#>ijl|O_+)d?x8zx;EPH%5z5h8`p)|nP7-iUaaR#bfyQHp|? z|Mq$n_?lU^mtg8cS;kA?5)3+eY%T+}c<<}lSe0*b6uhtp+#wX~K}}Na+vVn2(8h&J zemK}N&;(7jjv~jLWV4<~p`~5oIAls1*U(oC1B_H`iv?#m0HVmjL%aYx=daVRsz6B# zNy|^6rY*hlv6LcPS+LWTX|K=3TC9x_uL@$^@zEioQ8Q^ewzvpma55?0aCJevlx?|a zMaz~<%nVr>*Ff$hd`*5KPJ!3LdKh>{O4!8dCJc(EBlmU&;9#(B@Asdcr3b0k{k_g1 z5NNx39g~9djuL`TD-(s5`fB-I@*xPge3_c4{9^0lDwVdV=m@0)y8cBT%Cu0i{IY&u zaX|5BRaHjXer-LD`=>%!L^{V)v!7vvrv)X~Yt^4Wdu&fS;}J7UU*Bq3FS0HR7I(vI z2VE@QYsr@>RA1GkORx7RIzO2)9ewk1YqzU@vxW#B*9P+S9PW?bbSE-CYfw>wdDgu57M~@A=V-Q@{s(gO$Hg6y8e%}`q z1j2n?=bzl@;1>Oi|@e0L1BFvE zT<9QMJyo_8yeK^JjO5VXf%oOfpdq@K{|E<9)>(Y!hrjWTzoA8-mp3>r0eZVeGBsM% z7Y9W^tQ(j!OIegdx{eEuTol^-G@K5?7>oflQn%^f!J*SOo9xM*Cc5jOz=WZ(5jlYj zOy6*c=Itcu(U}X?l&zv&`1)(R{zQ&1AR(tgOkq3piAl1}z4URe2NsuY*1KrIG6ost z26(@q5K<~xEr}ICBb1vq(8E2T!()kPU7f(-)!fns7vxTX-9Rrhrb0Xd8{bq4ya_wZ z%DFK%+LlE@jOw%zBK+tEee2D6M5xU0I0@c0KE`B0or9YHfzn1-H?sn@aTbD|dEOG< z>#Y9D8Y;kmx>&orFkZ%(*)v$Oc#x@w6#VM z&sJlpnhFpLTmbky>;|z@oz`BhrN@--TQ7FoGuT*MefgOxUmIzv5)xwl(Ox6TgXTty)ifM zS6(l#AI6Cu`cL~Gfr8Wj-VlcG?2_Jbw|5SGY!0WbLO!`m6gF`Xp8n)W^xQ}?4g?g;vy#> zfS**(xOm%iP(%T}l0iC{z!gXrmyZu!AYi!&bu+uaTAZ#l;=*!D$&@4Y-gkYGuT_Wo zmuAH-YJSuZ68vY}?e_i%#;Zc?;leJk6^`60I(>3V&-U|=15$o^u^PD#^4#y8EJjX0 z&EGVRpaTYl6i1yOH*rInImTf7)}3jgo}pt<)BRW==L@Ab6yN>9NH?0z=2CqNyLUUQVitGN2@^3gysFDueb%1 zXBanyg8O2rTx5>aeDcYW@c=MfQo#{~_`*ZGhk#|L6-2y4JqJkpiDC$Qb1#Yy{*b}n zcG?lcT%7l0izvYX1(=y|IV5^6!!|4cF|=S0V7PHZWOGK~{^^-C@J9wS2LtkQ4)%A; zH986Cy)O!y4&>$A;)El|r2S+om(7~6vgO6E1~08*)VxZZkO`+e2LZ2yh6%uNcY|fw z=JVfup8F%~o!eO#3)x(5;5BiE_~WgVG=sHN2@o=%GP`0zr$}TS>cPJc z9oe3kx*L#X`VmmWe1K;NGYq*M6PbcEAm6r=o2wV{;thUVW06Tz-ox^cri%pFYE@n3 z-ed_&`jz9$%HjsdP9;qEihGT97ZLLlG8{}IX1ha9sHZbUlH=VY_iNt${csq3uNI}A^J$JE(?fFtkrJq1y80IEjpCi2UD;ol0^MEz6>2|L8ug6o6s7#$Cb zvvZmD$3kl6nF21f>rDd^JnBbO>au;LtH7LP*HLLfiY~pnDhP< zSe#1y*UE=ms{mvqciyt_GD%-3WZbR~SOfRhL+&E@4#Xw`SNzc=2o}(q-cVD=f>5Na$-bBw9-E#X;rl|^G5Fy z3{BKkD2Rq*(BmLLkqE{sRCHEV=M_7M#_>X5Y1qc{lGs0>g(2~g9mdv1cw{3hN@aYd z$5+N4Q8-2M89=gvUBrpM9(m}bI1zH3UI+1u=TDEqgA!NRrRr+hG#WAmpc2 z&-yn^;1AfKZ&Zg~AMzvw)WDATa}w)cGg=b7RhX0D`0KOd5*rl#%dl*4YM)1Ua@!Rld7c^c$YO2eU|4hk)g))T zfZAYA=VF;(AT0~neUqp%TahQJYc0X5j_z_sIcVM!&mO`vLiB3|qg&ffV1La^jJ7)7 z9?b}6lwj-=Jh`25wfiE2wzf606?It?Q!4+!&nK)(e5smL}z0Z=;0UCogTdi~!0-cy+MMTe>O+mQ^ zeinohf3iSG5b+d~csYhupgjuAcnVhuMKsQDqV*MT4PR2yDV?q&ozkC%BtB1uk}jhM zn)~Ys-@}h$Y9GbakeuRQ(ov<94ps!nfHfe@PrHO>p***Wiant{!bi<$%VKh*EBKh;&6Hn_HcbTgo zIpkiX(cV*1L?c1Y3CiH(L_mVfJ`2b&!AYHI;9x?Z3qCYRl|lf-oO;OkBIL?Et5^|x zIJvZ+lKB?ll%f-J&bWD6b*~`c-pk9k_v*#lds*o=O$0DCKou`Uj+M7uOtlmp3nf+@<~NU6ayYf zbTk&MHDL_|^qBjBws*uKv_+S zmUBcG<#SpwBcXSkQgOaEGza9GB`gWzI39xW_at1G`9QY7br--yQBt$1tfnwTi}IQ> ziOo7Pn=+}*T5_8*$&Iz_W;@awO@33N$QEEqSi0p&9qd@QO_P#Dk^NOj>~ZMP(!*yM zNHH)IwxPg`0?a}YV<;w?>F=3f!Z5EVr~X|3;Tzg-JYYB&V7-CZCA&}2AzgJeZqK|S z-Q*MY9CnBUgGuOePeL)0=p-`>L{$I)_JI{lQAOS+kB~(f#g@IW9sHhw`Coy17v^b6lT+P_ZEsTIk=B2Ho=t)d>pGywt`ZH=&6bgN9NQyZ}<7kcGdtIyoHJm>bJfJecBC8IA9vLVa|E_g+F*#mfpzIW>) zwfT*Ney92~ZF?8A&b6(0;=F?!{NS=kb0U_>cQtpj@4kI?Fv~3O=kT7tIKg1kW8>;0 z36m!JP5eLq@BfF2sD&3jsBW_0Q-uH#&};l9wgX5km#c_0A0Z8iPw5s%oQEAqTgC#> zuKEM8K6Z-)4d*WC9o#ZfHnGWy@v1DzFCVs3bx5?ZJfW#()0Lw2qKWuv351Y+ z7Wm(yJ=b27LDyd1qDxJylJ9k#3eHz+xHI0Dg3y+6zoiJS$N^XIz$$F#G2angyiycc zWJD}m6ta|ySo)WFr8ip8t&= z{}rD8W%{uSEf%kCp*ky9p4F(&=pkn{Wnzw+woLY*Y0TtLS*=+%B}T0nP{*95vFYoj zf;7FQTM+I2!6b0omrv=krIzJIo!F-n`)pC{(+0ttRd{5eSE3F3Dg+7jAByu@ig{kB2mw(2Ybs hT0^`F@P)29wf)lGg Date: Mon, 22 Apr 2024 13:33:53 +0200 Subject: [PATCH 58/64] Updated vault-helm to v0.28.0 --- hashicorp-vault/Chart.yaml | 2 +- hashicorp-vault/charts/vault-0.27.0.tgz | Bin 49088 -> 0 bytes hashicorp-vault/charts/vault-0.28.0.tgz | Bin 0 -> 49079 bytes hashicorp-vault/values.yaml | 2 +- ...ault-industrial-edge-factory.expected.yaml | 22 ++++++++++-------- ...rp-vault-industrial-edge-hub.expected.yaml | 22 ++++++++++-------- ...-vault-medical-diagnosis-hub.expected.yaml | 22 ++++++++++-------- tests/hashicorp-vault-naked.expected.yaml | 22 ++++++++++-------- tests/hashicorp-vault-normal.expected.yaml | 22 ++++++++++-------- 9 files changed, 62 insertions(+), 52 deletions(-) delete mode 100644 hashicorp-vault/charts/vault-0.27.0.tgz create mode 100644 hashicorp-vault/charts/vault-0.28.0.tgz diff --git a/hashicorp-vault/Chart.yaml b/hashicorp-vault/Chart.yaml index b9a2012..e157759 100644 --- a/hashicorp-vault/Chart.yaml +++ b/hashicorp-vault/Chart.yaml @@ -6,5 +6,5 @@ name: hashicorp-vault version: 0.0.1 dependencies: - name: vault - version: "0.27.0" + version: "0.28.0" repository: "https://helm.releases.hashicorp.com" diff --git a/hashicorp-vault/charts/vault-0.27.0.tgz b/hashicorp-vault/charts/vault-0.27.0.tgz deleted file mode 100644 index 24a07991517b476c1391b305d0953e9e231a030c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49088 zcmV)KK)SyliwFP!000001MEF%bK5ww`K(`orE!g~@ z%oN*gE|t0Q7vq^htpiC&aeUXNod4#nL}x+kt||Xwij7D|qZQ zI|t2fO~a0A>z2#jT}>vssw;*J2Qk#E%?Pby=DL=1+-f~MJTw_%S~mF)R%t70x=O+L zIi|Wh^X{4|nYU&Xpb7w69G7k7p*87twQjqsYPj3(yr29Ph>M2RBZ^?}mA~G-?;X59 z#O?Rp7Hh-p(AMXQy*wvVa{G&+sP|3FoYwB~@`2bIj7tMC(D2v6s%Pu&5`JP+wU?}S z{Jo7`2Y$^JQ<>s9HfeUnbIDv0d31APD~@Y>s_WUfcJJNcV94J7?E?&3x7}t@w{Bl`}a<{jH;tIV6qmvhV9zI?^V0mJ!-aVPmSZdl%4pR zaq-+T6c;;>A_=U{|9g;Q$N#sHWq4KpwC|AStyyW{`cNVV}y zG4IimcxXaw;88FfhM}8NnNj~wt#(NskULXcmV2fwFw(GPkR{f5mY>-NXGT0jLk1!D zhyW{qB9M`&4k9M<8~|P8oc{sX3HlAVplxD6J)|rY-B9ifjAq!z$F-WzcQm}f28bkf zGhjQ6331$|plh|-@4zRK4Kt)T80ik8JXAwpzoO zmp(y?siAj~&wJ<{{sZ28Rtyh2^h1+jVH5N3=o@m$$hCob?4dfy(73+G;KjBfo!Y%_ zYRBk=q3(rZ)#lh$G{sfu-iAxnur}pZPCUb)A88x^{4*xY#@2#>;aG~w0qLe{cv=7_ z_{af4b|7ciU>hsM$VAhbwb&LbtvLG-6h#QORL%Q(;~$em&|@fQ~=R1C%( z`kH3@t)Z!|zzgg+b@Tz%X#5Y|j+z zk}oTVsP|!AuHoEjy2E(y2Sitws58=trzTXp^e8Ef{{tEWUfDJ=a3wmyBK;q10A&8( z?(FaQ|2EPS@&Cw|1RJ;S6t$^%?u^*_f0^>EdHzPxxq-~R85<~~|NDoM{-@j7?;Y*v|2EQ#r~kij46T$62&{kM+yFXqjVHA2K0nAA zTga7Utraj-$Gf8^c#JLa3Pcn8ob#+%$EsWL9TUq)Y4l%H@SMP6ugW4IpZ<4xhl%t5 zqu&0G{%<8cL;4TY&Iw8VDMQ8)b~mQ*o2l1*76tO%J1MXN@rGxERFwJ-b^|*Mt#$qLgoibV5uQ+C%|HfTW_lW$T0$F%-v%4^rY&0-19POKNK5D;9)! zcex&&4(1^-ZY~Iwc4FMJa+^fM{%R_bU71XD6Z#p;s=^>Ex(VDVMC=AyZ^5O`YoM8l zRl6bz1g%T}(dWP`j$@}L6cl?6bz8*IVRV-Cpd&Slt4w1D69VE8CU8g$U0o*7g_pB} z4Dt3T_B1k*d^8&kz#)t1ru(7g4_Ql`#1Qp9kz2!e-t>b^a_P%>U8zf9HdoXUv)7Y} zg%6(QXmFFh2Axp3rhEu#$4xnq8zoVQm%Yc!WM$Fym)UJby!tTsX?ar!UYI{5b)9Z% zXXW~_xsYd=ub0pLoAdE)|Mc`at+lJ30LyKmCyh|}m>-87w^}8RzG4%$;-O@`&Q(t( z^H3##`g~3%i)Vd73~!Dvm_9ju`h8S}oKkn^wA4^>XE2Zf1xSun1xVtzg&*uwL}^fr zz;1Sn;%Kzy@{5j6a=J6tV60Gd8J3w3LtkJMJI>H1cQ`&F)UxVV>>f+4uy}W8STWpL z%f^bflyeYjyYRmKz8(880ddx|@puNjY(@+%!4hI^Y0BB<@t{mtSBz6^C`+KT#MGPu zh$$sxpcV!xMk@y{mRAPkcq%Y!r)+2C>@ql4pJU>=c`1w^rwEXx2E3zfXy5~5`^hZc5KA%BFHQANx`%-@Ok84hoj`m1!&~sE?4}Svr8HDL`4B zHx5;_cG~UaCvlPa)b;qIkzMXXfxbo6^1N<**e5u2sdY600Zi ziUUhg8l+3XGve@W#yJ@4c&2XA2j!gV_9L-{40KU_6We%utFW;xj~`HnyM(UC+c3wP z?!k(>fKjrS*%Oq5H3=S@i7YWiU>-WeHu?dB<5~p9j6yhvTRgE$JO8W9@K2;7`;Vhe zTRQ(c?6r62e_Kh<@cgfY{YN#1e|Bi&@H!3!Qw#*rzv}gW*P`Zu@J4tuvk%-L5MEBP z8_P*sBZi^0lC>eTvh-}STC7oiK;v4{2oe1Oz2ydtZ|Syht~(Uj9Hg>?7<5OyzZ_tO zstXu-w+wp8F$+rj&S>#Lr_N`vZ=PTq!*sP2w(Dz94rTwJ-r-LE-%5Ih^gp2T5?R>U|5afB7dOvY%?L23>>8GU z611d2)Q&)JA<6V#H~+(|r5Y->T}POzY{&u%Abm~* zh=}U1{k%;ebwEuA+^8=%KE%7Jn^NA!mZ7T(rCGY^?xD^e%4R?m`%@SX4|*0~D^I{) zxNh8U#&#J@ggS>mpBkHYY1NcX|EmiEP$>Vm6ZF4*u%rK5Nzab{Z#fb`oP<^#3*adU zbh@%%(S+*T##7yK?dYf`)z5Q}isa_>0pHCCx#vf;o^O92Dy4;%o}Cf+ziDuq;NgKf zu>?;Re}abZ=ZZT29mk2MO#075yV5x3j~xHA+dkUw$@>4pqh0*Zt)yp1|9?QI0p_ug z#56K*u-*86`x>*DA!<^ewz2Pej!$^X=&b7# zp3+h2bRy`QBb@ewS>A^GdumtLcYsgrZp0)tay}IFdnM=i)KY7D#|N-hbdL|qrFn3t zXLX513^HAgENZ2G0yRPNb<>so%G1kcd7-D}&hcKP?g$@upCY&0HR#_~nooB?A^ zcY^B2e_7O1@R>RxXSwpmtI78`N*kZR-{>3C@Pq}chGCeHOyA*Hh50`1PvlRYMpf3U zJGc0E?9HA(+c)D+x5NJUQ+Xt#J8tUVvqCLr7w~e08DbRqtRzW^WKPnRY}Uk%I-5>T z_>7e9jL%26Cxh$p?Z>n8tPU}UGa;e0SS_uzX7l>#|DyJE55YwBzYTt`toD1nOszaS z@JB|Y0FACPF=$0~%Vb)<&f8B{qw%Psnqj^DyiTFwrTj=>DTP>j{TDf%X7Cr`avEVU zRCd=CTPw$8t_Pp5ejD6gUEYp9-HcDK{*l2*Q|W?@7vvsanWLHKYUII;G=ur47A^j4 zNi3(uqXGSQa&vt){{8mk>T*2zXO^EXYedRYDvYZU^bmGpwyrvXHAtxiI5;0%493^L z=MeIGOF&+wb=x*wDeURZXaFKn|8#JD3w=HrUtMSPmQ|h#@3Ma}7!CU;sr2)sP3CfB z34|s(HZ-AqPW{H6di_mwxJuVvnZd2#+(uQ@$R6vsm6W{==iUIF;fp zw9fOhi?fYtJlE%X$@(q^7aR9+j^``&k=D6cAECzdK4vZGcyVk|DbZGpu-V0}9t=Oh z`o8X;Z#-Tp)o(;8(*gy8q&TpHa*gk_Tw+-zq$;iYQjK=-(*$L&k(0v$!OG@$2fb(8|?w1I_Q9)zNFN?T@##Dy` zbD`VBq$>Q+itQw|0J$L<{Gl0Mo!(Mz^|*{Gk~K3Rj1WtuPu;)$ZzuBV@q%=vss&Sa zzXyejY}1~7>=>uCgw z<53B%Ti`?yO>#i0n1)WuE5(|U{1aAdd1maUtj2O6@eYQ7Gvut4`s=lX(6oBspjB*~ zvh9C#$M!6G#Chjw(~W$<3gbT<$o46FKlI(D0v17^5 zmS>nO^5jN6+qu5?8CwCpSj(Plif6@%PHjdr>A&y#(GWxVc=UgNKk5H_ zbhM-YTS?E({?q?hcmJE$r^@N2x#@q@q0sPi8zqn`n5IFd7GKVY$j4miUR+UNViv?kpA ztclgpWBC;YHJ&VSe*|M)!9k{~{NkCKbVZkJPa^WbApPMHH@x|a`%wCOKw|k;pLBdq zt_S_`fR544@Ra`gchHh#RKMW8G{WJxnByf#CXNX32gH!rDTl$qD2#+)wg>2thYu+Q zL^l&(j_EE^NKGpO&09VxEubgaeD50Dx@Hgu!u*Iv5nI~E&Z}pmlqvt2+`Pq(OE`9*HkVYYw?2GIm2vD4Z{3YS7(1Gk9i%@vKbTWc(vxI`t!F&du?W1Qwy zGmlLAZ#h;~f#3`M|Mw4M|IhA0XGj0HkzNq}2aFUplO-6yV+N6z_ASt^%~Z?lY~HuK zTThK8^OlQ-Z{?^lZ|UYmI1jNbI(FVh0+`eEueY9qVJhVjD%qN1nQq>Ld4VNi4JWt z|gXJ z9xa>D!N;0-<|cIFfqFPTD7Mxgp4FsS5q@p-<=OBg{$hA`8omfG-(*mO-m+*!K_mp$ zN6$nLI`AydW&I6D%V`E@Nc2e9ajzq{h%$qkbKUg5_%)1Yx+BmQDUQSL7NoVY=pjgf zx;+OF9`!A&Z_kO1Yz02k_(+P0Mgs;bS|h8iZ&LeQ$FnR0Q^yL$5Zkx3rtx=*IStRe zen20IeWzl3gsEm;b17C6 zskb5ijOtuMm@AeeGDZSXvl!FjlEm;u5Sv;KNG(OHW{;kwiP9ySC5$!FS`n|*k}B0; zIA|?T$dGdBe?^x-7SjJj{O3-4xBuHt+R^{D>3@Z~Lx~MM-EEXFFk1CyI>k`Fs*_uK=JvHO#k8CF8=dY(zB!gc{f2;L29{`@oS>1*+E(P3eQpe z`BqiFy*;}GowbBpSoM1Q+%#RWLDC(TaQ%*Zkv-*DrkJ3;LeqgF`d`H*z(w@GeULc+ zKj`l6|Jq7=QS^V4n}A<=fd5<;kaq{~Ya@uSEXnlWvI(rN8TOn;_><}A)@K1l=l|`F zZ2#Nc-`~;yt)wdHf1tOC$KD=ediLnr%VvmC*9@Z=UhQ#x=)0(sn>g{$E`P;5@tDtB z*~)~bXb6VaqB_u49*U2X6Z9~{CSG8E%a8CIbPx;^c|b4%<`g&4Pp#OM@;`-AnNQ&i?NFXDg{v{x5UDIng3FFG`N=Rq%L$ zq89>10~WtJgCE5p?HK&CXYkV0KQI3NII*%a%a-xD4ee^#vPAWn61jSURn<^bS6|2% z0VHoV;hA-l-v^YI-H%@gKP;k~z7jcz4VrTc5Cfx&kkT=2asdYDQp{{ewG|7Gc@UIU z0L2Q1(0G{AyvBb+fYms-R!PK4U36N`((x~n5MOL%9^k@+-3=0PUXG)eYdGa%D;o1WFMoq9`p+beMqp+8nCHLy-L@S6xzlU!?0>eB zwzvQ17yM#>`{7?FT2Hcr6m!t9oQ4;5KkA#LQSh(&WH;*>#KcXGzX=6GbEX8JGS8e( z0w1(>s5b|{*)j8XNaX!tWEcJjB17XmHH6M!rox`@TcZ~2SLyu5_N;r+=Wwd)d;U3h z1O4bOElhO>^zYRKy`ww(FVgmpgV+;z5EkZpWDWx0Q-x8mPu6sYV&?7KAnHB(;P1K; zTkA-(LS+JSEm>2aMAcY0{~on!w)J_~IR9>6-#S_zmJ~dWqzO%EKx@pPC20=9D4-0q&>-ek`l-11*gIc9e+!+1dGjZYOP7 z{>zr|5{l{nZ|_aF8oAO$(fV6@ifGc^2`(fMW14PPHwNsaodXxh^r_`j2LdTTQ5jOm z5g|xb*>|1SxNF_}a_33zH|;3~Ndbb)bV=v5E0OlRzx~ZaNg@chmb((hAE*MJ>i<`)|Fpf(|31yXb{L^+HMUNdi%G1po8WPA>@NKgp+> z{?DuW<8=9Nw*h-OO;p(76wk^EPTFbhy1`B2>ttl2 zGZPmH_zDQbO%F!FBz6OUrm_BwJ>1gPQ&hWLkntQDSI&5S|Kq!Xf9r=4fLtObLAH*DLXD}!_MJlWQUGe@a@PE%2XTW*nftZ5-w>Gy5^&htv^?#q{^BLg( z-^z26G9=1-t_UD5Yx6Lnvc+IOMTUH)m~(XA^tg-no{F9g$O`Oo6Ys5oL1vUI8Xt^mi(_}Ca+#*IQ-u4htb%sbLoCJY3*gb3ueNplf(L*iNheB zVbYM|+r+&;SIT*s<+6H7!pr6lYUUNOe#M@jUUbufqG5I&3TNR=h zN}`N&5Bd#Yee7B;B{+gD$CLnMiiHSJ5CLZ9^wrHSSp5a7zhL!$53Iht=%?oObJH%E z{l{eX*-L%F?LX3|g8!FN-18{_GmZamZxrgk?QHEX`2VN)%s2lha`pf(w4WNIxL-wU>;dUR7eAb*E-1D%9?(v`k9dz5@DxW8XUaTZi^jGmM- ze4{S5W&SP*7rB2{?@|8uAoA1HjFkVjjN_d&g0pm;nQ-d)IY+}M$TQ==iU)+e^PWCN z#0(_mQ)(v*bqisUv`*F!I(V(UURZSg+Lj6PU>`|T17ej z_fPn#;QxhSHrZG0vE%=?3i|){&Vv7clF!`v{}TRGfQi*ylT-^e*tR$Jm~%+ic>jca zb-623T%}u*rR`Iu2^12&=kR2cu2MP_*|u_iBnJoFm)i5c75^~H)IsIUi@1e4p9=gx zOo#KU06Z1{=kx!xcXt>0f1l>_*~I^mw!`Rs^6vejO2R_*OhBsi8&6fp7gq8x`Tz45 z=SxGhpEFDNJRhk290Rp6FKL*KsYw{5&#ky^{QUfUlm<>uD=BGn2AaJPIp+PDg8%1I z0eC9@-`U9X{~Nmt|NkfXEb#xsBC7ux$bbolzE_|#AJHt4)blO8yPy^`e5&#Pd~Cn? znU?=!duKDx|F5qv^gmDX`Ca3G9cjzyG<3M_neeGkp*{Lcka(Hp3=eZc@!ur84Wj_Y z-Sfx^2flmeod&;*!UV3)3Xcxbjvw(D_;nJ;Sqm|K6vcNZYLp}0$P9-8(-!~V(HU3y zZ&+?NJ`5B2bC|?P9fGd>&89K=qZ{81?);>?e{wv<=Lv86EQ=F3u^HT)U|NKxG=q)4 zr{x|*e%LRXCeeH)N=dUp{POtZ!2ROn_|SZjj0XGZJ6IYYf<9o1G=~Gp{BVFl<}tP; z!zvb~z#}#nl(wiZifiyF0im7Zpl{;ADKsNDvRC0?^ij=l-V0NC8lIn~cmp&Wy1u0z zx|xnrjCJ214)>FOoOp>3KVzV~Kk&|uXe@h1nr(l8zRBrmIK-+NuK4 z8TM6*`BvPpB1beX^AfoW@Qnj4TVHS3ej+)~^L675HOU^wi$ZrOa}<0Q3m=g$=Tkxd z1$unex-^;9ex&@L?ag*R|MSMyLjU_TpC_pQw z&qgRyXCjLrHM96bFsM&CosdLA)DCfy`I^2pVePz*zjNx$QIiwTO>XBOpIJqvFY7ZC z{(o%$zwOVbuKL79f_9FiC zX+ED%{uk%hDOCZVd1nHkXPl`QjU%YP_dD6hk2r=rm#EiG!V4%dHC`arXiu+O`w~b& zX^g8mvJ}^m@^`i#W&-#AzES&U=CO{;E;5B$0$e&t14|u zc5#9ET-!2()i4QTbS}w-+v2D2QyKD^(7zD93b?W#4rm)cBtTzI0_cqHE%BgRni^ysOtIi#VJ3dQ}vddSLG29`7#JaK*dQRwSD zP-;)|rMsk3)L;)`p@!<+mal{`%rU(31LfvottfQ9pJ7pDqs_FqPRT6lkm({EbXme^ zNDM^oo?r`o;9W|i>hTBUP~tQMoPv4N_NrQC{*4unzC=P=wp23F3Gh+X3EOzEp>E?2 z00afNKqnTx=`F2Yg@d)Ux8#1?3_A8VesWXJfZ-2?BdPsT_2m?X3I?}sl)JjKmv7I` zFOE-~-!Q8b9LM)b+%Ja4gD?|y#lgAsw-XBW$7PN&aCWkP@W`tmx-elW`-g|8Wh>b8mL})9+gn>} zZ|t_#;s3Sw&>p@tX_k}YvY9GyuipY06!Y-8uxzcZgrH35M956nv%c3>zglLnT`AdW z3AS|4;OxialZ%6wZ-07IF}+I1U(xmK==@;6^u&+#p8)Z5^F zYMfC$ZgCma5KtWD`#95=O!a2a7V&qyM~gAj&Z)1>pXb1=== z_Qzm61rlE!9~`|oJGwa8KYv-iO}_QDhzDLPZhFGxW!o)1g~Ia(wyMas<1bG$ZS{+1Z~erEf_J-s(ZyrGu6xpsgNc;~pz(f;f|7^eZGjoTjLTnk3b6 z5BtIkLPY_%E1Zb~EaMlX=}8h_8Lwier`u+42E3LV6*GS2?+S0=hoF#`%Onw-K4K;5 zuS&?AA0(ITi$8palW+G|Z!{bR1+Jxv<#^^D^n%U@kz4-V8v$za@tAF^ObX|mjgo=4 zp6h$w3%uZCm;qeET9V)z6>q5&Ui2dwbuZV;^VR{B)l7vS+ZauhBym#sWrG5V3Y~(F zMm?!MN=o*A)}rw$%fqX3X0kZ1nMG+c{SXeDu+#8*O!ez?2Uo<#*M1m{lHk0T1Zgjh zx-;BqzDs^c)S`rbbQnbbc!E|iH)=_*{J_I$ipD(fmFpS#la4y5?5nf!e3$%?S=bNa zQ8xPm-3~=uG9!YC!rNd9esP-2f?jfC0%RUAB<43g31|zftDW|6#`y{?4SuRJTTVH? zYV=VPRl2LaAEwNW@hFJ$e(&8~*_@ucJLo)Kd+q=q`qrnQCs?Qqu@&hxt1a<1MddSGIHX$ zlysGP0+GVS!iYZ}zk1d3D2g*TP{$vkNT|=GTR@W;u-#I z;M4oJfAc=zVwwt|zFHoJ-T0b0s+E#6Dl!};hRQh2&N9D(NhxOc ztq?@Y%ud{8k}xvGyi{fVQY1s$YFNrmmz+?t9p!FOVGQh`w?@&c@c~H>^ZtKmUP{;I z>tlvqe!JV-RsP@jLI1z)jg2i3KHGm-Z*RA^w*KI4&vzN+pMP@yzw-MRFHrnr4ng2k z{QozL_5ap47ykcG^ZBg&KTAA4OCA4D;_m&5=ozqXJUpmtN%@TR;`qbTo=3wv#o=Z{ z`l7zf`yp6Gx$>T1xsBlGNt_KH?fLPjWKMp>2m6Yx2E1}E4}TM9EUKu1yS(f zYVa41)1u2aH9cW{t#6tg>yKZpLkc>**jpk^8*;)_hLY86;ov%k|9H=Boz!y=M4sWu zu_EoCpC7$GIY0ZhZ7bmh-`anT;I&8I&)(8kgC(yCtlU?sm&0RrV^F+xY8yu+S|@b2R0`USm$S0Uw&)(8O4jYZ! z&*~n^4I1T~t=+c7_okGub^6S})H=>LLn`v6LL zpo#6?W$l&|Taii} zaS=?4<%COX5l`yi9A6>0&GgJgwACz6JqjoEjbgw1ogX1wCHXFPxX^-K`#e5*{_g^) z7sd#-vf+G~zduaj|Jv(2>+QDI|F+jr|GTr$|2@%Xp8Ow(p$gVhKfVRZnS@MUP{Lx!#S_vc3XF}(}97qC8 zb>6K5+*8YORxMovtW%!@kK(cbdacg4wHKJnh3SsQ^UgG8j%?)r?LeP(t;nR@N=;z6 zQo34!6K+L}d*$^Cr(U%g`>grj!nVRjFaRAb`AdIV@|G@^YVDGDbM$eD%cs=LI7NJI z)?K+`7Z_)Tiu$YD$L!vmGue7u9Lt%-Xfuy_a6lN77Ata8VZ}C}@Tj@aOfy{tFaYy9 z0%!>3*wWDJCLwBL0a=J=R`tcFM*7rm?E)WK8o=VbCA+~g`4u`L3-I%#_y%lV2#=`j z)2v8_KVgEEmDx@u9Q=)hi&@S@wVix0g;ph}quSIyqRAZ}@tj1DKf@_GCaj7x%C#vu zA?@N{?|de8d;HUJlg7<{SQQDvCLCRP4>=MNhRTj57p~r6YEhE=pKS=s+FiK*)f9R? z_F<>JcocQLo_~wn7iC8Dc!OOcf)usDWgFBWR(`)a_fwI;bLQJB??11*Td6k!FQ)W5 zinlT8Iq%uVH0aOa7HA}Npd&TV#F2=> zS;9x~QLC>U)DxA7oYJ(nkaT)(<19Ql#=wk(n5qpTyn6Fil27#D3q6x;Fu! zUnTJK;Mdw(Me?vd=I>?^m z0@P~0ZLiAEp(Y)Q^M={iQC7MOqH4it*u84O#^0HpIubA*Gl)th!OUs}D;Sf*4vXtr zH;95`Y3y`2e`4<3YNY#i%*m|X@YY*SM_1l5{i~1O&r^4^zT$1b|KPu7kW?vc9o*Zk zpM)E8iQRX&vieZL?IZ#@Z8qpW z<3s>I510pwmlUU|qT3muNk57Q6Y>7Nx*}SgwpKGnVa?OJIvplGr{}3CBj`nX%y(V+ zsPKt7H)J=wz6O*BU-zlf6_*4_Y$ajbIuLIOD?(2)@TB9BXkKjLj zR85B&=79rnh>49Kj2q<9r<|M&#_juK7O#k^k}`W)#nSjvjE;kD&R?CaRAOPB)yu)I zx$1|AL{^v!uYQiatzt4sOc}yIInfo$`pLgpj$yj&o*Th2tGk3A&rZu`LO;r4DBkD2 z!_4aNsCmRD67)eX^&!pD%GiGC2KTeC0X{7Hc}Z`pm=we~)|QQLu&Ff~-*0g!lN(~< zfW=r9c^9wYzPYFMh2@01wXr_kIicL?u8zyyi^@5kDn*8qa;+&@FRT;eUV9S{zs4#j z-NyRX*1CHdlPC@*IwR&y={SPc$ zpra|U_*d~qFZhT-fdR&>1%4U=qQgn?y`^R?OZ zO?ZhSjjQzQP&fIjbGDtK%4NdaUn3kKj~qh`o40&#y-wtw;jLkp%s#??^S*2g9 zSU3Lkt7%n#e3g={WPJ70uclS~@y}29-<%zvSIuGn{Hxo#{#=x>sbV7i+pku;*{4_= zrO8?pcl?OF?z?g4Ly$B9X(Z!e418BB?YVixh0=XnK6n`dLO9Z}nVdDF# zzfk0krY>hXBj#&934=FOfPa6Fa5}!KFtK+kCm;yoR=4A2IXPwAL}jPpm*!G2I)6;qyUr=uv*iw{a7?))dx#VcYmbJkF*Rii&Xw09>aqv)&=6}7n(>4{qvkx3n)M+1zua&1$gz3(?C<;Z@Q#F`XniRLOLZ(D@1;zBzX~;OGbkMWo#OF z2A2|+e!0(ArjHt|wZ*Uhr}a*KDSt*jN-RfB2LMjh z8?T>ZncV}Q=-xJz=r3)Na0<#O z8E85Xpq04{KbXNL-+0-5Pr?Rf+|t`Es9I`J_(``s@wr#sUkRu_^s*)oRr|V1hnvfV zm5%)ID-%u|D+4`#;e6-(307bH6*w*NcnudZ|?Bop5cc$+Rm|?RaJCFO|V$$`!et zCtpp~wdgVIE7@|cB!3-~u0jttxsLDjD_~DJd?l8Ks#3XNE3rxsT#47Fp(Uy2vn$So z*Gh+am{P$Su{DwRtD{h`2Az$aob6`x^O$-?Mq-|NOJz;(eNU4Id#GYzu6I>B?4#V4 ziXWQo##F#gjhid!!b>gO-Yf{NYOv|IS9x<~W44Ous_gbABEFJgs|KCv_HyM&br6s9 z@FJ{?R>A~Y%PJ{9JnaSxT`VoW`(v$lIC0H zVPHRf6A#d#DCbr{KmCxzqoHFy(5t@*yOy=2y}rKgm`JeqyA-pklyx5EJKKG)?=$Vg zz}}R+s15v9Mc;Z)KzDQirt+%p`5w&9oM~oz8MR)AnaO@5l zOuY~vlZKom;cXZNH^EWb@gqXhdmbhCb=r2U)PVWg65XU&Y6K0J`>$Tz7q(RuY79R@ z%%Y+mN?_YKQBAHeKZyyR()mHizU~wcVwk7RGB+lA+C-l{DUf~KhY(2D+GJqLln;I= zw{8KXdp(tD1fk9lHBixmp3mH=M6EgJNH1#5`*~B2Dqx;L4wEb$wd66CxuRMuo2cWR zVYmm2Y?Wg^TyiTLdVT_2+2{|F1(KuhfN=nHONuqM44NK43lCQXUG0&vSZh1%&YxexdZ|6X4KoXv5%F zw+IkZ0l^)h3>NY&>?jhLM7Hg=ssc=CZv~Q1h9UwY=z!O)T^C)mL`g8Zx^n0^v0Is` zUj3_pBu3$EO1knS=%s9o+o(2fFY8_(jps(WKgP}t^q^-USv&K2F7woxV_PRBTFT{< zD$U6{F_D!8stPMC=R9t$;P-;Twk)TW+OeDK!g$TfKMF}3CXF>I4Tgf?TD(o^5#E!r zDPR9XK!3&&>%WHS1Kj;E(!5!vUw^t8=lcPyL%M>skA1rw#IeyDc4hZkJm+`eQ!UK|JXB z&dt7wvtZBrDeyXe6k(dt=hWsorxx`F0cX3=N%=x015P5Vl1U>`wibUlj6xm=XOTWr z!HQN=AEpZ3Y6H~75gq_d#c}5bO2wfcjwMdw?wKh2rT*FsIANF$XSgykG2|N8W{4*Z zQ~$OqM!WwVRSY;U{B4`~X2I5$^=S4-Ro>~|+JQ;K-T!@6jQa4`RWb0xZ_tVcw~vv` zx0LLHQ$AGP<;1KAGbE_U?Xx6F#N|N9 z4*OtWs2usx-u}Iy;r_4x9)NKF_g^y1Ja2wp7@%y>IoXwsua3^SqN{bl>|PIqFJ|h- zl~Iej=M<&0p1`CO$B&il#TaKR`)ZS|PI5LwRM^9IsqNg;Hd<_0XR9T>Kfz|PrrflB zI&JD~(d{_5-65JfI6DTA-oL@|(y$wJ{G{ftee65a-g7PMow63w8{QS(Bv(;lhoT|FFROTXU`;Je$y4k(Pr}i@^QtC!I z>y=Iz`C(T(vupT0u6Rao@VQ_01i$CW3!LWiJY#RqK~!_S_re_Wz5Qvv%yR&O$!^Ot z!NPn}eBd&n$qX4jN?Mu&sFmPj;z-l3l1NtmF7uuu2xA|v%C>{CUH#gzps`KSluzk3yDf#m9&CFtJq|2)wWR{C6 z$Cu7{b4zhm82SDQt;%>-eN|I)5a@->#IWXCT9=e(S7&)qr6bMqpek;uf>F%_{_HQQ zoK3wy3N#l~%M%orGqWG4y@xsad(JZ4{TPx*@${TB@PlNIV`4evGIKRJQcOvO2oq3a z-_N`c!FcZ$m$ZuKGK_~K6hXR`6*+LsBQxZC7}52ZE^DD1aO(cAVA56ZE1DK>vb+y; zX_}f_L%68y+FSZpm=62H31QJWKSb}dx!y$2Qzl`Ecj-Mu>5oA8=*Gj@N z^MUH~!o2OA1V62DkX%Q4`f--F%N^>ZmhMqvSrt>wicaPGB<|A#(~0~~gKNQ)re8@R zECe6xH|RL&Gz%x|oppLZmx)gI0zb-n9(>XHKx$$tUW4taUX52}My3%;z4pc4oki(k znA#OzmwH(?T+%BwRb2U(bZI(Bgnj=eI2lC|pLpus1Oq7v2sa-oVDPX~l^2BY;u4Rs z4F=m_jlx@AWMkj_<@HA?RRh4c|B+TK^#Bm!pW{tDFVjut)?yBW>Uiajqp)&pod0sq zhAjJR5$j^vNQF6D3<@@QIp+#pXfs%xlOrGs?ekFzbpWWL%Cw#*$fQ>_n@JF2BYYqp)5sr{x3APgd7J^S5)KVV6Oy#o6rnO31QUo0 z8~(k%(cWse|KP39bE8!spwoWhd4K4KzJ6Egz6V9cUHWYe%cEU z;$*n$9S=Hya!(HbM^oxUHIGr0!Rp7!p7;9XRdb`Y&PcaWQYn~gc(*LHY5WCDRd)Hc zyd1p{{#;dho4n@RP=jaMGZ_hq6km^85)ZZCE4(vi!BsUzBxDmrYqvHwo9oc}z)C#T`Vsal(9)9sT`_|D zg!qHu_kKT&#)d2MJome@L_L#w7qkXbCl3|-VE&$A(vWP}qU12zi;ap^=s)CnA>Z>R z9-xQ*aC8-gY41&(VQrxCzN&Dn(I)KUFE06Rd$zv+YR0BFNC3}7+5&oahu!T0^M ze=7LDd9Z!@Gll=#+SuH6`M>t=4t%xX|DNEp;Qt=X|1H?Q0^9c(yj@AqUI}AYMcc>2 zfL4b8n8*a62FPY^Y<6qGHO`%DoV+B>Qx;gv>ILQc6lYV9WQuCHe0Uz`83wlA`IwbR zG8MrkV-)ID0DM>A`L});k=8%B4F=-5I)0u6lnxOqOpR$2E;yX^!qhu_bA}~{{V1h8 zM_oc(e~ZI`7Y~(lOlu-jJ%Jmp=);>S;ld{~;ZMqgyYU8Etu{F#q2|E+o7e#K~hYxKsH5 z^_>mU|88t=x7+QV4dDN`+FKh7{{JaH&%6^qL+nK4i$Q=3pIwc@sEbx^U|l}|%Lmlw znRkw)DrFlS`~yxT^3WRX_5G~VgVw7+-7qunZ2~%EsuEPkkNVL+sA^i8s{{a8Z z`ta}n8=AiNlQ15o-tplPOg>CvbSY`H!fxQNaXa{`fny#M(E=O^KX<~U0~j{smG(wg z{14y~nw_vU?ne!5xAxQ+kKg~n%l$V$9KCw`L#yAN{~VLw|L*$ccK-cu?rg3v-v3j4 zo;~y44H72UT>#o=-g;|ex3%sqzlm>yJ`j1Yy|e0VtZ!_tG#UpzF*`TD_6{Y5*4FrewSdW3>!C8E6DPwpHbfwyTSLE|HR!Q2 zVL1|*3DcdtKS*VcZ)(r+&7?V0>c(UgN!%N7RCjUmK_obw^u_LO%}JpLT-7n6p<8m5 z=5tq*2OoouavkJ_0geSJ1s4Kct^(fcZoBSYciSrpfOcAKZ}}~-lL$YX>l%K(8{NQS zzV^NkKPow&{HU(IOJPev#7A$yu;ZtfOoyn>KW?4q!Z)tX+wQ9(qoe2LJW#8DuJp#HoH2gqEf@Xl!o>$OSC`ZonE|Fy@Sp>i?eCaPC; zi3`$bRHG&m-XkujVYcv~b(y;urGe)v%@L!$#Ceh5jY78(h5q*l5d207KlHWt%BTGl@f7V75qatjV3mNccCDqq z6h|u!rA)rk!gHz8;azHO!Xj?uH5+D_Ywwcj7GGxVb6%%&Ry4t-1zT_;e0{aCWqZdA zo1+IgI`E(=3eV%mM4_xtUIGp~d?|mqOIIV?vuq1%*^!;tD!v%73MgV;W(ZK)L^e>JufGmT@ zL|6&`gr_9$M$PdMI8c~c)5?G~_lifr^Il%66#-XgA?a3-t^nAL0y44$B@ z7cXkls24jLmuw+>ygy9B$ZPKwm}5;&PQTkffCK$y6eb*(a*G@l9jFv6;MfFO{>#_U z7=sJQcmPdQ7=vo0*(R1MYJ=_WhPD26wf<6Ec;qK&5Sk4eZd4)|;2!0T)n<)$HZ250 z{HZhah90@@TYw(3p{`9qUAtR#DJb-);3eM#cYqWyItXnAuqk0;D6vzQm35?;gB2in zzqeDh+DRR0?^|^x3h0q%vm8W87Lhk3zaWv8x2pic>H3!_WRi;w67mG;1oB#4cr;u7t)#&E2@^R zQ=rTvMUB_-NvSHE83cEJls*XB_+4*0dY_FKS&v@#hWon9AFF;+?X9{e)83l+SljZF z9y;=b$NIpC$pVQBTqd8|4+O*Cs6M1>vVcBoj@>WN}P4QhWv+5E~<5 zh-mC}B>)fc4L0yi+GRPy+OM`{PTe(*2*pbKXssTI{#rPHB zKSU^dw0%?>TkQ=nuO!EEr~tN^MMP z;|he46U}zMB}We|Olj$hI&q{R!NDESCkZ<#i|M@ohY8*fV63h`%S+r1avqUQd#n;Yk@Z$m(kPBhZJ;)cZIR}*$lMJG z+p|1+`F{W1tMiNf!^6|de7=W}NExhCV$eAymDJR5>6`G?iiL%PPzQiyo9bIVWEa)! zjv{wfcJo|bE>{Q1Ib*t38pz9hds*pDT`L&$aQN-ZiRr?gdRaN`k5vG7F3Z}kOO~O> z3XT1sT~+g*%F%8j?`aw#A2$p-;Wg(>xE$zTNYtevX(Z{XSy0~pPHnbi2iX#1BfX~T z&`PaplDUZSSzXujw2Xz{-LA_yKo3oSkpEbI?T@{UZ9{x!qCGppx$JJ%mH{`*YzePN z8JlNSk=na3iU3`aZ3Ph!c`ed`P!3d+AP)hRS5jA)fgTn=st8ryf+NZ!R)TeHA6vy8 zg`6Ii3e1oU&|O8{DLNEg1=naFUT5VbFS9nhZ|+(bw$2yU-l^ag6cJLqKCT_D{3$M} z8+S%{N zhpmn&q*C}&mK0%p)?1rGm~}3*vSt|QBBT8HA}uzd7r0(i``O-s4rC46Z0-DszElcd zm&_{6l*Pk1if_heLsVh`+E23tXhBBVpyXKbgf&HBgjic$wS(%aa{CD?&x?u;Z5>%9 zwq{k|v;A;sE#K5e&flyn>S8Rc1UtOPW&}qOBu$lw5M}vQ&$6=0T1X8}OL$Qih@gi} zABNwP?aIV`J7_W|$l=CVoEh)0E;T3f5<1d*0ctjY)UcOR&1Kh8pB5e6De( zI;GOZJZbH--Bo8Rbw^S{fgs*;8bjDRsWgelBqs{RKkn?-hM!#nKj*K`icn&gi)OY76{Qo9Je z{A5+oC?j7|K!hF6fOi@UVA038wOizeNpWr&PMy@=OdM-J=nd^^+1_=O+S?W|xGVQO zeiGJ7j>R4L#Ls$^iHugWS({F6Zdt3b9Y5P?rdRXho3}r`@s7{V-Z6ZlKdrdYqG)mL zhY?>sxyi;kmZts9pBONeD6i_KyWX-_LB~fAFc2Cqhq9|n5zc0yR4-av(;#BK1f9tX zQ^yIwfUjR%tI1X7PLfggg)2k8Wh2ki{tDtL`xCjdyWLcP4`g> z;GBIVtmBH<-`dsA<;Mvfk83`mx}F=*Lq7}hPdDb7jc>|vb`?}^PKHYKde##;b|9@H z$W3(iiHQO|dGd{BA_d&7l30bn#n&9B%qU_$M5N`N#~vdL@y62D%$T(~mHWqo8j%_V z&cUo>oh^gJUXT=?kS@i$gtiB&GvlUK0U-<9;3xvfnHuqNUZ%l_gdEVSPAP$`^7fqo z)da`2^%*;;&+rV)*Z?3W&&TGm30Yj{wrjgOL5~$#V_p3i^w4i@+cKzaY$n|bddSqU zkkZ!REA1}4UEA2Xy}O|}P^}jcrRKh+-E~+4nyI#oxc$P=-YxbRj>g85rd_oE7MYje zW0<`ioCaAk{vN0>BG&0l%l1xfQnphn3kX!%o~2aM$du?oQ@`1D=#T|4kh* z;E06f@{7+RFyS}^wOiZOgBDZU8FHJQA$fecBD6Ck!z4@t$>-!?yRF*bxwUJiFp{-0 zSf(;;T`6&!ToUbA!I3Vpptxp_5|a3GHnkVNNejoJjgM0|r_XBj{g3YkCY6gbV{M$a zxowV0XipP_0l*x>B=;pa$<#Y^@Oy1j{q~l2Y9Xe`H7e#Q(Fq6$wojj*+>lv{)HCHi zDJeZGWO2wCu%FyW0M~YH>1BJPELsBz08_pXCZCdW&_z8R{?>%sqkLq7hiL(|73$mV zb#pzUv;A9&%!hU9wY}@M+oX-!cXfPrwW|r*z3tj+i0ut}@$Zh6X_k^*)b+w`yw%w_cD?uKkI~)kh`IpoQR6C}Jq>1W#1k18a*tu#SxZe$vIi zsC(kj!x^5BhTYdyaFJruQhoEqiNC4)fS?CXd_?71P>TReI*6D!`c)uUz=?IxERV%T zY}ICsw{{2{yozr?l)4Qf!Z}iA$C@8OxEm&LCec`-LxHj=zWJWoyACh#^(!3kQZAyd zNCrJBS%^y->5{bgwslmW1px)$LtR<|J@PLfX{VSSPtkXprp3J;DtXs<$5^4aC|VDL z1P+Wc!`L!EjqrenCMZGtF%lTOlG^1t`=1$lY|($F71$JUMS!jL+ubQ+3oqGvX(AMJ za3>a;zVgxWyZtaF`l!5hXf@llPjXwIW#jE49^P@LpA3r)f^T?cg>rrY_ zo~8D|ZCM9r*=DOiu$(A3IFnOBpe{_uGc)0?y|&E>bjTmUt3+EFUR)nKhQlZ@GcsPw zX_OwckOHh9s*`utr3tpnTyE87i?*08(z7IStdanfkx0j^0YHKOhbp^s>>+Dt*G8ai z_Wm^p^E+`(v3&S0Z^boWvo?a>{D#KQxgwMfzO`PP>a4$Tz(-+q_qr?})3r8 zTtaRBYJ>QzH^Ku-_Mg(%;3NoY1;p*Zwl{0@bek_U7yZI95-MMkGVLHK$b}_-IyW_gI*2tCaC1+u}9sIZx{1G z>md3nZhEseQ@hDbt)qFaU}`OfUZld!+OAWZ>^gOBYmBY=tRMlxd_I|e;cqJk)z*4# z4tm{^r!BQYSxf_8X+matayJgql~pC}W*;x!dflhJ$%zZja$Km1!$k8P(7zsK-UT|? zN4Ej;gjK%9Y@M7CYNA|?d4+X(lTC8zvQ%AUd?P6oWB!JtOb9Ufh`!&@sitVU-P#AT zt8JjWwpnJ&dh;csv$*YuEW>}%qY>XvQeELHFZ{vyg6!Cc1Vph#ORXJP3q4j^> zY4+M|%qFujZ*`!kf)l(H)S{n|a~y?(@Y{W!7In!5=hJrW{BrGG!kQ{p>Eu}Am8vl0 zMr|*P4fe87E>m3-^d-8pz#9!Hi?%5$YKLji0oP6%vB^mzBskxWD9*})K=K&~+uzhB z!O+9;;&m=67g)mLb*@OFrM%y)ZCl!8+mbqDvqQ3ku;G~9R)GP&G@{XFZSBWRC}7rd>TamRV|nq7uSp z)Ri4w7!Au%yHR_&8{4)JF^toUqG2z+D7+3j;||;*31lQ*kl2?>#QaH&iXB89FOrSQEg#rZKf`GaGE1QRwgZP zRJ@$hJAa5Utpdp?bCo6TG48JmFwkS=uV}1EMKMdx*Bk|fRipt1sEZU{;Au8$Cn|&< zGz|w#P=qshdi!oa(TxRWLnb1RHf!y6tXeJ*fk=LHDo@8xq zdUxGA&#Tc54hV=8fAmy!`#bn%@LX{j#i&ig(QMSlbsOJkTE1=UwcnJ=oEowTMcB^^ zE}nT%hN{|&*x;jnV{6rzwjOD(7#X~F_&oHm9wllOl+NKaxCtqCNO|tbHqwVpJBg;>tW63wZBk$yA{}2zs=8p&c37Y^3WA{uLLDYBdOWnG0+2a|>M_>l zAz!$Ji+!b3$q^!2N)Tiwwf1ZOM!$B%l~g{eS`~`(DQ`|IvVcNAOadBKaxmo8_A7@T z2zktVh>U6o8pDk_+dGT}9+Gh071@bIL<^i+>XK{gZg#)XZ(y^vY3#jiTbHWzaTZ-G zF>C6iZ&B=br5=K%Gq)AtBjq?ITfo+7Fi1n;9f;{oMX^`ox>`eY_Et;)!6395cgLb2oBM{ugW(CHhr zXcOk_qFPN09jbsQ>M_XGn~w-ZTc5d1R$WjG&Ez8CmwMqq9Pk0ZJU>5K!~dLlA{nPT zGX_=L%Wv5AsEE5FZo9cSvGVKJdUI$IIs|fkNjs*lnDdKCtd$-I#I_iDrAt={eCaJCXsd6z_S%V>9q&m0o5@(IJS=>&=vz!(E(6) zZKFXt!aRGaJwHCSD)1>WBcT@vtqMJim3u^4yZnPx5lQ$WQ?5+MIF$Gzevr)crC8jT z4`fxb@?jwSJK|9j9bn#@AwldkpnL`Jl^T`3B6(Q%f`z}50W?C#&Ws{EK}gu+?D&WC zqtn;G4Br4dkm>*vq?pQpD-^8i(XeWqeY1}Y(SGkIHv6G<(j1DQR0Dq6@XATO89$5C zL)MQLji16?D?F6Noj8(=CMt$;xbNF1V}En$kz{7o|7sbm1)0R=u83V zSOz+_ioce;P>ZZ7;__l+eVv|#MTzu&3J8b7-7kx_U&|iB7f%~yL%BpmT?Mc}0h*Sl z(rR%a2J>udcvHOfOXB~D>?qs%sD9W-pHjR!@#i$`99CeK zb6IA81W|KR%d%%-aRtN*GTW$MCG+I;0Lc+vKS~R-@>XU{8=`%%I5N?@E`3bsMe+e* z7qeuIB19NgpxJ=mp{8aih&8+M-QZG7X{`SbHJWE%5iCc?>I}G?v)(AfPVzXZa4)dxX=m3Lm6mhqbR^>A`>LS~h5+6je;kX}NdK~T{ylWQU+(Zb^ZaIRG6L|Gh@tZ5< zKd+xX=0_M{ly(((>kxa(k7dU?zhkcHe|mFtdiEG|OsoI9 zUabGQwZ5qT`6QpOz5mK91cFY?yjb%ZSvld@KJ`KupGWzq_y6Yn^!U4X=f`gzp#<>c z_rI~(Uf;^s|K3>C|9+YeR=ys9^maAM9PR=6J0SmGpK!q$kY<9tufO(w0=kXvYSf4V zyja0WVp2RxnDjqK-Azg*rzkZumdlRDt;X@SH;zZZOh#b+v&HSrR zeV%i=9`we_u+RxCj^$eB&l@SZ#iG{%-WYTTX);8W9IOr)w1j;0JNn|ap{h&kz4OtZ z68;CBkgpqDotP?$>1>*?Mb6RVXKM zk`e&GMgj2vBQ+xlXM&|@MjUtdeVmN?fBm`r zS2~c;WOnB4N>p$LV$B${n_|In`S*d-%1=0@<9YKOuhG3G}B|<3S6Ianx1<93WwB;QWzzpLQUq1>I zcWB{cJu-`b*d0YcdDOwjAt0V$(4kjwgek&BaEEaON=ZV&$LHxqT=wCAFDY3#>5S0h z>{^toHzN?^;OO9Zyg_hhD(YdQcmPPrGb^W@+}<@b>%*D$@G!qtl^@9J$9{eRh+ExJ zN33ReO8gSTYrR>34iLAb_z!LiO$;!gcx@a-v5U_Z!lpU|pXfs+As*uVP3A)gJBlnYJgOEZAXvd8c zs_P8P^ex&(b#?r!mwAu3BahdRtptb{~2sgNDE*ZL^7p)fs*Gv+8IS9h4VL$Me35UbKP=kT?voYLq z@F87URpdj}gwk&oGcPrpIP?`guYdVZ{L>c<0GEOzspqbj0t?>C9ip^hon;PfQ?Oef zXrSFk?i9yQf@^do>TqW+LxRl#;iM@lN7Gp6dWWC7g1hmJ>GO&(c^keatf>Bh?s+@6 zM1~#!Ep29U#m3MwsW!S+sWdHYbi=-#Vk2GYRu1F#!>Au!w=eh^gLTmEi_|q+Rbd z8kd)sDU200#LUCpo7dh~|2X;S@V7N=x5mG%;lf+|Z_1Zm(!^`3%!9bVCQ(tCqVa~v z3p|?6C=1L2Ov1|I0qhmlhUd@(@NPDfzSq3Ih*k2!cS+mm~Y`}sTQRqA(w!!?0x49ve)0FA<0uYjLK)pQc* z8quC^!%cAH@h@iF;dmIf;^bxx7!}<0+W42X38QhOPILT=84VBAjE8@<(%yt2Ox0_; z3mM3M=;s`^kvYg2ULKGNKFgK`o_6az<}B%Bnlw;~F3muQW}HPmXWnk0i>v5S~Yw+ggw&egge#nT;D23@qwMx#Qp+=QMj@Ti@d4_ zYpz5MC#3WzWI&+-4THd%>e7$Op~&Gx6g@)IQGe(ULgAl>2qa0!@t0~vig0qiBj#xf-IYgBuLK+zamQf@OA6pDmk^nSi`>44s&KVz!{`1p-DuW)}9Fiz%5tAjSS0p zr7}1F(q*qo%mp1&(US0{mvPJ&Z-f@jfa8x>MSY}PHR!grbcXLS9+A(Haz?eDvkHA- zeU z?aS|yZq|DJWJ?yH#Qs6XJ++#Ig%!C}VYcBgE}fgW)YrvM0|Rdu4jF$>XG2{EkWC1pJuaY6^yB{SQ_ub5MI;U!S|ZmAD8SXE^{$&ZjlYStMOM;lsHl5dw#tIkGe zDVeQ#{3~1noZd2FJsc|v1~*x6g-_+Oneb^jM2iz5;g(2Yg)oOi$G=lygUBKQvL&}= z6`&lGgA2kaoM1rgHu?X;h}WZtopWprDB%qdTRF^1WLz!=l+@0T*ag02B=vctW!7 z%U_{E;H`m-yq0DF)`^D=Q4t_lL{hpGIEt*{3G8z-5NCnMZwCm=uu7Q%ciN2uavUQt zx+W)Wx;R9Fmktg+VnGIw=u7fl!=PG>c@qIAW#d4 z9UN>QK#Kcx|V zEWBY5)!Ha*D)$w7F;173SG==dt>4GLc+JFn-a<%j;j*6>JFH0ipHYP4W&XD0ed{d^ z;Po$gf2E&)bBU-z##*=pR-wnrf9-6gRRY?7S0mqLtgK?AxfMZ?cl3DeXPc1C%{bUF z(jn~y6^^_#d%GlsD6_AM{0Sc9Cxa?6QJ9y!n&nH}@TI1N$UdwnWQDIeA#8M6bxsJa zc}UautU*o_4CFeDK+jHtQ$SBzv#WLR3Biu8&U z``C7DW7`cJvxei~BRQA@l-&jzl6@1HsaG&8B38oIUZmtGmC6XV4TJ}2O@kFt z@u9IAmQ5i@$SCNI{ZRmfUEJ2lCEkyKfHkcYFMG<1T8q^PHGeFC%pa%1%OC$(1u49M zrmCI|2cjWHIw7o>8r!l=r{>c0(#CqxEm7mAt$xr43HaNM?VZ=*%$+*J5%gH^s}AMh zh`+diC|l&eOnA%B>wm3YS}ElIu>@>s3ka{D{ozOOU}_${ba~W+ca~NE*c}8RN*)iD zR3g6iV>ZwO{=bV2$Ci?z`cCoxH!=J2rUB3wUv$R>X3I}Bo1{2&qcBHWm#PG%MD)nA zivI(*g@*Vz`A|R?z<3TaRHSGyVJ!u_@GB})Mp4r7pmX4700%c~hdQcduZ$V0M`FC% zL}mi?7Kn{oSNU7YYgwQ&zj{HZ7kf+1W^-v}I?;K~a)kG1Z@mu1p}C8s2LG2>(>vx) zJ91rth%0#z5FUk~M^_n94m>umVDU9+Hjc<6!VCN~jK~_B0zHDc#FNINC<-Dp&mkfY zoAeHh0oGG>HTG|kfV`+14N{`Au8xNzZxG97i@xK;M@<~aTV6VNwZF8|kOJoH&!Gaj zL>SV}8|b_7D)2#6qvywx-(7F)y+mE<0T#+JUhN(XOjP$yiT?P7xE)wZmb<&Vyz@uo zuPj_czu*u1f4(|CIC^t-^hk3|_W#`6-Dv0iKR4Gmwio`NPw_d3hvS5FY0I4zjGcI4 zFvKcIryW2fuj9XmQRI6k7^>S*m}ym)2;9Ibob47yDpA-R>bc=>_~!ro@Bi1rY5(Vc z|9{LRc>TZ!5*?s+5W`k(!!EikVcwA7hO)$F6uwB-8A`+o%!0;l+GxRJQ3KXklMhCG z2SXpAw;kZ=v-mo@0}|501#RRPqym`o3lrLMCDo@DxjC?%<49wK8afcdf#LwQSz&b< z>K}P9dnR9LrI3XQJ7i*Zj^_VKo$+bGo9=>3R+`@@>)^`gpdq(pNVi*l*fTEaae(eQ zXxG657mag|6X{`SjlI7f26$$f&*W3x4RBBx>I0(x(Z^nR1^nJVtHh7UL4efGG(Iew z!bI~ElQSHT^*ZjNfbZ+mujmjC7_d<5AT*4N*d@jSgKJ2F_?nJnn~nrP-K3QJ3FT6* zG>-WJ1maUXCUZ)1Vt&hL%x5_nbtr6XxguslGgIoAzEeVV{-*xj!+3padu2^rfCCIc zCHFkzwlo^BJuEQ3rYi7UO^?B7=;^?!9mW)-cZpO1I#XK)~d3+Q_Y-2eKQ}b`E=6Fu|9zFk7*+>|7qjPow z63(guo4)@s?2r1Cc4d%h9~jhr2edtg8+i=qZx~-Y5KO~~!+VN?`5=p^)+4+6TUIYx z0U3#IgE8Sh^~7LX_U*UVXbW z2nXBP4tFY}Y0*9$T%(-`t?h_GRN^ZEu{@3$3jmW=T81KDpZ z2-xx_5a+>?`$Nj$fHT1?=`|rU8B7doX#L7j^xT(*LEzhA{-J={3=Av2CKPNHct5;( z=lu{2NbQ(spWYkxX;n9Vg?_h*3^%=J+w|PWGl_G3WS~ONO`Mb1k}>(*C&rnbE(8N> zBB6S`dFDm(kX_h2zuX-59+Cw!(Yb&=uv*B%13U*aCx3}Y2=vR)l>b7;aU~D)ImXd< zS;ydGkaR+J=wtk($W@rSXTpBnR%gokV3whzU^*&?F-0(mBYYrgNcoCYKXksKnpo^< z(t-&M%)qk`M+so)AXQbiWw@^9r)fdb7Z=5cuZz2a2)-NNH z5lMx)c$}BXzX?>yZF2Bui?Ok za2uq;*k1qF6#)%3(kLTsDrK_j`3akPuK6Tu?fcn9cUFJ zwg8;UzX=49PlCgs0V0M?-tYhzazxBR)NS5{h)j}r>_^$Sd7T8os^V)0&EO+CS)rS? zJQRyg@tvb3Ho{Z~2&3#@hgGl`9+xeaMo=qbt8RcH1uL3HO+&a8Zog_GNmlWJS$yBB z9*JJu7y%_6M(F$j3%Vwrxr;d}Nw(tX6Mel@A~8m{{4CYuI9O9VDo|-o*g3yzd;)$N zqP-nK-68sndCYi9tLu9f1NZO5`D+r(C+bi}4G+2F!0oT{p&-E!YN5RL>7z+TkRurG z<~8l8A{lzXiKJr#CC?*R1bgKlA{)s)(OE#DSq4B3n>dpfiusu6{E|Q%l49W=%px#z zN8Fd^6zEy5iI2BWM-p%n4p0hqd%^6aWk5l8=N_@z(I&n;#ZZugFg-HwtOH;^Wp~6G z>Md$VWOmNx*P&YHv9?CqZ(=(|p7cUQuIAHjas6QwI!1K0LCpy2ZjyViAQqTa*bB(; zW;E`S{qTrzZ-^89D;Nn)`s#(t>X0m`9a3D9bqy94xfTL#qGbGnWSL0*658HmE|mif znHA&GzC;>u347jhxPqvU6&1vV3wjEZEshKW>;Yyh@r4pIg0$8d} ze_2e)7>XvCBKOwxVDjcxtc`cdafjwf@d64Lu6z|h^g%D&NlR{NU^mb~zBnWeGLMVr zDIluc=M|;s_h4lr)thaqR4cJ5vN1~h#zayx}%7(^Of0nX0wIG zcHmh92X>|fKCSnVEyA0#*MWG}sTnO46!jeWdGVcUMRYgrpkE=g z!`D8iTVLgWbpu}{z(mjlLi8<=^8tCHZ=fc~=KpByGi4OsM1g6uwSoWHWNHtf&o)Ng zNr^5cq{|r&u{<)Nn=Of)O+(7N7vh82M85OTA~gg`gt`w-f_I!eQtFcz(e` zX|K!QJJLh^ZlJ&~D4(0JtQX&DE$*0%pz#%IR>-4sIIdW*gu0+FV}Hn;RD^=B!nZ1m zAuF}?mVoT#aCeCUauYec{B7s-oO0vGgb{5FSa#oe{W$vGS)76JWVwEHC#0Lb3i8U| zG8obX4X}r;jka)In@@bgjXT1eS6DdQ)r4y*RpDz5B3+7~#$4--WnSuz3QMXWJs6*sMJvv4vV>eXP-}|`Dd}YxYi80D zo-KKJXWV~PMJsg8ds2ODDW=SjqB#!>&KVU`*-WV)un& z)nN)cqI4tXT%8_jCUuw=3n6Fe9uUdw2=_VO$K`i&x1#ir%2t=t$9fWGXD>@RjoZ9z zz9SDOF-WBSvN0RF#gn=@2}jQMiqKvp-H^jSxi-{?p~R{NzF}Uw)_+oLA+81 zGB9q5hlTk`2W?0CYk<=VU+Y}^sEkm0c1($5y&cNVTMs* zm&k^&TG8n8Q%zW-P}2UcSlOkemTKv9c8ReIYTAESzc1WAZ@6rKf=Joir06NVy)Jv= z^@Hx%`!K*%nb(q`1RhbRGfI5mSyMW8;HdYRD^!nb-v}4yc&&L<(u+}1je*^WK;`+w ziWc~ow189MnA4L)t%64|!9$;l)6=Qy-06U$Z%nFW`_;Onuk`R*-plw7eT`QQ1&Q%B zkcISuf5+AFzIoNBY|+3DYj;#pWa{#{(-f z_W{$YL(cq-uI3}=(oZP^ftDzbuO%%C>L?|Z0iL5^ahv2>*3(i(q@gI2rB0;CA1SF_ z#h!P0jVZ4Y6QXrVH{T$Zri*}1a;{o8v8x(V_sCF@C(V@$oNU1+4vh>BienY_$lQ#g zp{O=%cp@eEq!>l*27s3x=c+`XVdQsI!W+zyq>Q-)C8{=dL|e95$h7j%%9Msjf>gEp zlGOjr43lq|hLR9FfBNXsckR;+ElOM2nD0PkY(#s^f8a_Th+|HOf4 z)uhw}sFS=q9Hzzqx!savOqGgSO=d|0D=}_akgKm9UK@l$`KQZ4IiwU604Wwu<*uUk z=1w8{K4|t~VEZLZSfHdSDEF2!x|bxN91u7N0y43lsqjs!FfL_!q9V+LEQ|^WO!$zG zNZ3M3sfAAKA+ufjcv2<`tU_DWK+Z;$cyJSQMh>*72)-*ZesF+fMhOBC0W;bYr=vkr z9aV=dN!n;o5VELfB961O?sYMAo)dLz4GtYVB?F=`V>50`DI$^}R`gG8YVvXCPntF^ zRM6gi>Aq>ZVUSMTu&}GR^!$c}Sq@crGG$*xrx?9s&c+{fl_FKKm$_L4yX9dlzhFZ= zZQG58WOM$T`SVYBCBw{Y6W2ozb)%(}3+%*`AzI87F<0?=mKhtVHb>)8MkHoH6*V<> z0(Jx;wX;r5g{DrudJ@L&BJ@1dzCVy@JRzxM4S@f@MRw zDOmB$n#!xM)Dmq6nAOVX4~I$TJytGEikESm^-NW^3UqE8=1MiuY0tN@9$n04i^Dtv z;5}q4rO~;m$ZoLz&we-AN!D!8;abF<~%S z09qz}6tl(FV_QM&Gm;!AsHRi*V$4}=8Y6{&5)Az?QRXoU50zxCoNUzrC4JK%38#ST z$Y~ryeNwc;pjU~BBxBREZCJ*@X$Ywyx5 z9uA?`D$(Z=%~8ogd@5ZN}!c=oW;`uNKc0}L31@^X_xzO zkTfgagRXkCEDz~QZ!8<|;PN6O2gJ0j+R#LbUgdDe37Cy6drhTCv3@gprUB6)^-DMa zads?nIC)+w#s&w}4gwauxjG@s-seUBotAh~UblT*@~s?=@gqV08RJ5RX__=vb*8Lwumqpc*a;x6y&4P|o$~ zh)S?wEI`JrmxPTVqfK0=+GfGH0RQX-QC9@)(ICM0+Xu008>$^w-_09(jan=)Z z+&o16N94wg-C{_D8*mje%=YOdSjMd64{k=7HdIA#Xjf0YA|j#5$V&M^aG0=6Vo-^d z<4$#9?Td9PS_sL-B{eWM;JxF4tX;zC$2NdbaHpFnXJ8eX_Ps7tqJ%ibA*WdY)Tygg zFTTY_8cU}P2NP|QyA~;YjelmzfaG%F1YodtrE!s!!j^8P@PcWYyhW66i}G2!36UnK zXqqmkQyalx2$-tzV1z{)TXa0yzYr%VJE#&%=8R?(`olQi$avQMNFU=^p!`(On@@?& zWs@0Kr&3QHQeYR{f8hreZ8h0#BO-uBH6q#E(+ELt2XO2VzzoA%uAa z_SV+=yc$ZR2UD!UlwBX9Z1_rfF` zL_(Hz#ZpfK<8@@0PX!)s;r%ys7TFb51Ju&A>)0n#;smqZ8MNRV&7HQccDuGWB^yUG zV`HVPY|3n`qarNW`3_)b_DI%Qp(!__G_M|amEDQ1!+{kHI0fnm-WGWzKEa3cKVVfB z1o6k2V@mzMoz3m-LjAv;Mg6ZQ`J5k}onIWk-v8m~KflfA^Z()P+aF#XT^yVq9Ui?o zKi+?JR%p}uTMFFs!K=6L4$lsMyf}D!dUSDe`u4w%4$hsn-Qc#lv9+_^-fBFacx5OUL?*-cuQ)3ULDaBy^TzW?UnrQJi9AWORi z;Ig}H+eVjd+paF#wr$(CZQHhO^VV7G`v-TFvz%o_X5@aKeG23P7}3yB$Sar`g$Pw7 z-%@ULJ6Sc{!8&rXdAI*@p!%zQ|GZs2EU(O98T-w!m!xQz^X#-2z8Tm1wi{-teElXi zzf{qNp5)t!GJCD1E!7W34p>9bz-zX%`UGgVFMFJ;1zp~51(=974@S^T&~9R6W}3kmD*_dc01FW77D%wRz$11g-r7cpf%(8>yL+} zaSdzkM8~Cvd{}H+n>)s*ufEj3hI*J>nQeckXG?sqe~wUdbMwK|UY6?p22m&_>pX9- zA8%hBjqHt}mLy2~JerSl=b@N^m&ID2l#Dwn zdn`={=?Vc;&Stl6nwc3?Niu*x zl7Hzqz29xQh=SYfc=~(}v@B;e(xd!fmK>)9YjJA0wnhZ}LudOziE%q=!?MfU_Zdf6 zJ7ENP1Fxx$&^fqUr9i;Ps8sF)>_#(71)rAnN^iK*LfuhRCd|eZ4Y94f; z?U)~XALlOZ*lw<{6}^GaD-CL!k874KT1jts=j)(mG_&1$esl?tQrTn$3&(P$em1TZ zJlW^S3_>drEZ(JCcT3iLO1C}#^L~y8T7213)2-3JnfjynK5no`39k&{HIj4J3XU&v zGbV=GF#K8~j@ef4#`Uc&Cl`&@UkA#GumT#fN6D;^3bqt3J+AY>P!PmCQLJ|^38#k5gIr`zixg?mOH51KkwKgF@FjF88nchsv{rJ>)0CbmkJ z#?mVoFZqY%ZqD(;7sbv?uF&F7zq3&9WX&`Fv$(i1??fXKnj_I8%6$}IOx8Nm0` ziU(W;Ks4piu$P4I!n;aWgaLuAEDBK1Ev8XXuMcev==aJIk64R(r|S1ZIOTq%vgdp( z7mm|6t%Qml&6$}Lk9I{MYKcZ}zujrbzZIB)q`PDQkF;>@ay4|--Tl$v#fyT5A$r0I zb6_OQc+}QH&SWoWHiV$U*I0A5@zpRVqB%kIi`h~whi-95AVtlI5r`P9t9zLNeQ5_} zrZzugDjkp}hKbpvbp~8KD>wyGEVy2s$}WJ4bA%M+Kk-`e`or>SNM?T)v=s?j;poU! zD%5HpGQV0zdt)-h$BcW7aiQT=|ZtEAQ9l|=1s*@(|Rp!`*IQnZb z20%T;LjxWQ@^?^V)$OV)C;T?bk8`O0O?8k{&=T2*ck)fjvAxc#*=tg0nOdIC>HgN} zt{b-cHCcASYsxOzVqE}@JfyOap;gFe5r=~bTA*6&iDqpjj|ebGm7v7C)~Twwh{LpI zT>?Ues60c0{LapmnuMRFN9`*Z6|3T#Ks39Qa`)qO#yeHroklC|5#2D};wAI)Lj08)~Z+)(ws+^;LHq34=sb70a zUiF@UIDuVx-d>n)E)Q>gn1@t0xJa8GSoEH`AHhr&&TmZoEoW^=_Xs0Goh!}r6hMhk zP86t<`r_M3aeV)513hLDJhEVFVdv<0}_6833Bl%t55VU0x%SZdtR6s_r2wD4~1D;_!N+x&%KvTL>2G0k32} zE3iWcxjKzuJQ9c17^dgtJmns(TY1pn5bZw~RKDck#|DT+*Cp&&SK83f)ZX8G9PIi` zn6l2WlkWfgibT)vwEI85f_zofvpd%9&+oo|4D|a9g-jsQcnzucfV}c$*26;xnTbZL zf6kalV$ZY)IX&b$NmU!4Yl_=Lb<%zoQ{wi$WHCE-m*NWiXfPyxXURF7$u5BBI3aGy zn3G6b9!hzjjHrEjmeoJm98vAB@fe5o8YGws1YrUpNHuR8%C_zZ$dS;~K15R-@RW6=WeauQ2xUMHUE z9Pid!68yu5{7nVh5=ypJ1UsUx)vyL!E#7 zAX0&|&27Ws(%nM6k+w>*m~fovM?cHpFdD3e3N8_z-vP*T2C1hs``e2ZWE&3R%%s-l z0c`h_L@ZT;uMj|MgDl6QP6#yf8_v|>IZ!v3JI4-5+z@_rU5+eN?%79$+a^^6xj(pTDbPZDS+%(fnl(!cZA@xtC zI379S@_Wv8Ng}>eLC1PyeveaoHmZ(6Z-kG$^z0Fr&%`faeZYP$hlz_!l2UuRgC#)#*b{bM~%v7d4aRDpimrUVG=5)@>*?q zmZ;8QL=%Z$%$O_aHzy=Q&;xB4t)+dK4Dq2JYlz9C;qPdw+d45C;f72Vd? zV9Axv6f+0|V)UP#Z7~hUUOkfgF0g=05Fwt@hH%5$)(2o6NJ`W~nc0Uc`CCXV_ZEY^ zrd1>klD?HjUvrjcS)l1&+T_mUmpShmwms9nV0}jx<~)Bo=5jSd`aI#MLP(^Q{HL9o z;rd?BNF^b`m(y*c({E)b(<$fj22cK=H40|tBiLPhLUR3>v(TNZkA$Fg_( ztt(}Z`^+9lhUkS{CP)4KV@A;rUVj_$uJP1H3n-2kXL#oi2}J3aDt>h6?8;xhyF{+Q z)q1|hQj=ybiW?=|%D;YeOx;Ll{Ml1Mv;F0d*^lcoO4P3CuW^IT81pyb{=?H*`gx2q z@zeANB_htr?wE2F1eiJ>H7dM`JFF4)nmbwoenZ|D!!7~r54a5?8k3qz8SMG{&`frd zhy-`+)@Oi?f?RN@&kPq2rDR>VcjVr7qqSCLw7Lg0Ye#2q>8I+N?h%4S}?iZ%V*q2fejJ=g3R#t0eA{b6LKD) z0W)Xjv6OE6zfH`^%@co&I$CUD%lpfJ)H5}C79yycZk+}$VQ`<3%rm_1KfG~Vaz^c+ zIEy{xxm6G83{{<$a+xeG+973Fy*j;~fLQ{*(wr9}mv`u!ie+&ut=`&A3vT~ju_DINr z&}{okclL(Qg>$BA${!{n7oE8JE7H!lG}W#P)?XORO?jc}-gmUxDugFzu}?lM4TAM{iBoe?vO26tplt#g zD84&_#_)tpyhomsWaW;*uYhG0Prwn>uhNQd!SzueO$`5-GvF>3kUsEx*(NZxI4>)g z!1uu%rVQgwJGK=~q}k6+oAW@Xp-QoG4~o8|g6G$m0eZzUk!)|X$2=etS57w<=lOxl z)yl@Nf0-fN@ahh)k}(O$!jMu=KITe;;ss3eZ{BKCW<&Nsln%>Z{u%4LXQkgQw%r~*OFty(3kX= zXZnXGJ=;SA86qvGEd6u$L*nzdZLIP4F5nt%H&^>71l=BF(#gP_GIDVjtDQ6E>lOn? znSUcK+^PFl_;$lBOK7uMo8&z>XoQK#Fw_>mpYUFF`b zM-QIJ0U3!V*9rA&KG+FEz{N0O$8Mp@;=RM}4u`m0Mf1$SR$q3#2J=lcaALM;OaNJ> zFTc&+ueWn&B{u^16k)`2Evbv=Z|Clfm`Ti_!M;7Ivska=|BqPI8yPNJs^#?q#@0QM z8LPp@f|T6561mp*s9JPRJ!GEuGW91{2_Bh!y}B@gwub! zG!LNNgnuC(>?y`iEPys=+E~D@H!e-Y=Sj@?gd1tE>r~BZVxGGR zsB$N*yf7P>CB1Yx`%1#7>EQ&^nBI32PQh?!gpA4T$b{`EqzBqXJi&AoW}^9hzd6P6&VfNf(dX(xzz@YwlF{IQ-$CuR-u= z7BPhxJV$Ol?Sa7yuoVbn+<-I}9J1GdUm$`i>xoY^}6bv)*ISDgDHP{~7I;?D<< z@%;Qwv5WrlSyN{N{sce?ACe`ShdLt^7y8F~%)IY#8+3tK`ySjDeUZ=mElu=B*vEh? z0H;JANhITLo~iKml3G;<=)bW|4`%TIFy0UZ$1JqW9xRvwSC}7jw~)<*6woVLKclkzoOJ0>0q^5OR>TIeNi5-MCs{ z1%wiZK_~#60Eqs>a>7L$Ucb0+RPzFDXI>LEB-l6a3-o7f{^LQ-02#$J^*h0A@peGB z5{SED3w$euJ#<*FJt5**+)OLROnv*P&TTNZ@qkp$M#3KK1cwXrM6ncA$bw^oz&&VNPzoP^Mq>J=5xOqe%PC_FGENrl2Iyrs#MkVPPdMJAl zZ)sfSQ!jcBiJ!Sh!D;$B{(|Y4&nGClu_jpGCpwrR&Sqk+I zpzlH??^cbauqAymv4#cJzy|0e?vC$XAgQ6t5f+M^=iisch2l{AKy4G-`?&_&{9zJh zIN9C7hc#XY?MlbfDV$#=40!%BFCWsRXD@xGPodb|fvsh+aHlu^*2jEp+gi75dV@}& zw1AsN8C*pIAoo?$p#i+Qdn949P;A%wHpBbPvNl0dS-C})gUWz@L4hL_^x^^mHU+5rTd zfLu*1EPtJ}Eo3p1v}l|08*mV{?- z2ev@W6c9wE+jN{*jau4>c%i4G+ch(~f3xIUCo6++aJx3O{($IaN%dYF?3$~g{ZU0U z?>e!XkfQTj9a#|rOW8{|Y)0Xt$vuC?PYc|yjYP59C{e$)NG;?&KiH3b;rAOz$Tfi$ zy*+3A75_*W4@X_>2QK7^H!j~CrCfQ0c)98D_@WxU@8!1u1uoVa=D7z8qfN_a*CC*SD7<0B9w(CiL@#MQ2zZNKUNK>aovCDrQ1~$8fVsEcYA2bf(2g3dn_H(1~FCLHvF(*%Vg0lC1 z>C`w$jUkrc)3Ej&R9rxzP$EX?IpCtz9cOX~1vO3+phe;(QPX5zTLVR;V5q?^nyiCg zUqWeT?UHocYeZHoS;BwgRS@5O1m@z2o+*acW%Z}s|W7p8lphFV;d^1b}T zT>4U}T17MIm}WmdMFeOC_+xUS)%&vb|k;P;!I6}fsW_@C9sU;JfA8lEg`P(HBok%_&Lw8pQb(JmRa*&58( z37OYS`Er?>3OIu|Q1tY`1Ej1XAd_3iqT~e58lLk#H0RBg+n(B&D2d^&Vuk1s8=RH* zE(~Xtux}v~{0c^8Rw}haHsdkMi!1O@jN=>(12Ht&$#Qw@(oGcaOQv{wa!63Z?OG9s z1FHu zwbF(=C_O`i^%Ns0Ta_{YCFWQDXl=SYu>;ObIa18xxjFF`y~!SeIhod|9xKVgQnGk3 zn=FVCY^;pU*6p@&#{=SH_w{iox9Suz6KsZ+hwce$IPm+D<=v%O*??iw0j|8 z$^A8~rF5XPqIK&@k^BQ=`ze*8GKVT^pu`+5a8E|QD{eti{z2W9??Irn&9 zcXG5Ra*+)ff6HU%naju19D4~(v-*>$87V52Q{qaSByR6V-x9D}_^jCgo@qxePYF55 z9*&9CJp!5KLjN5PNS_=5K$l(gIJ{=?yGk0sX{a8x20%Ik0N?8l;TOD!B7KOl+XS2# z@LrSg@}*+l9d)m!Ffj`Z$EAZH3_vFh{*x)*<3g%VN#ug^G{0&=WG78^A}+%xCkMB- zM*zTFTuvx-$oe2I$4DawBwpQRa8DpFrvLpaxSykkZMTR%7jkw-+M6L z%an-s07-dt3XDI`3#@kl6GRr!QQvzZ#JGQ6VizpBOwa_Y(Ayz9wrkwupWoj(Y`vU! zTqrowlALgkI?}UOUNR744%T@3(U7BRaSdlkUSK*Xih;XRHmchq$~ za4haP2NQjochT(#nFd$RMRZeAkxZmQa8uu^%R}c%wL{9)5D%urGUki?z)gLct1;`S z?Q_bdir~#N-Hf>G;AC~PbMSI>uyJyD`FPqo-rZlVy=9xsc^r+TY&*N2eXOjMj^R?N z(yLHifQCLKxytN8{{f%@P|^aeMoMax;YWLny+;=8)nT`Lfr0OLP$HbL#D^5xN)|)( z+Jt!mqvmVYRFMN}6P$@@z1h<$ zwHhfP{A!piHsogu@lq?`pdsm``0*EHT*z^9=XVLb7ML8ESP{h&cd4O%gn1v#XfvpM zMHkD8QT(zh)WO zD5yq^&vB^&D=?7p&yz@$H@m7gMy0XpfZnwdhc2jNg^>f;azL@ilx_tRA78uT$@A@u zgihs&vak;rm54~G#%zblso3vpL|~!cvyLzS&#a^HVE}DnCj3b34@Ue=d8j4%WG*Pu zC>KyGFT}n))U93Cpch;~lV6n7@N(xP%)zyO^={KK<%Bm<=WcSqa&}9Z(9l8zS)7!< zYD5x~Y*Tu~y%`%8ba~#>`6OBoWie}X?1!spe(un~JKl`Qn6xkTMbG*U2Pb_`9@18} zi#gn~DLw58e^Uw#wPRV^;P*;(Mm@8u%?P<^0_KP}h;~7`L3R)`#BDmQJ3q5f&X^@S z!?h4`6*rC*sKPedd)mtb!g~*(GiVvofalNn$do=_;fcX*Qx}{i4RpI%L8C-KouGY+ z4+1;!5Gi_hUP%}mX=ozlDh?n5U$z~XFE2D?F}KISes?Q3{w`pdid@k$j*}W`ioAH5 z1J?dW1VSAX|DXX}egok1<=~y_%vTl)d6P5y*jpale?)#J6Ro>k*DR=Zhdw zA+7{AxUU2d9*WFd18-!7YBp&{sy#GqXPpy`En=_4dm##3TOg`>2vOvkokd@SY)!32 zI2syt$sxf;X3Q7$Di*-I2Fd$?-mS9GT#ZL96wl^!Q1z0cCb)Zaj=4~Qw%uz^KYr-X z`ZNWCv5S5dCq}_T^vI*hrp1YSWa&Lyiai~i^4a{Xp?@M%;xE8#1S*ct%bD$H_RE+r z1O|=9DuvidtK3gp7HzwdlX*m?rx;db|5X8A2mUO!1Ki~+s_`BNi*QaXBVdNNLP5ub zBFU7;Qr^?h2-DJR35hw&;2@9ihpjM72e|aBNFT@(3Ic?ri#_5F*A@B=lMnz6h;`$) z?*=pOB^+BNgEj7|#_c7lTl)m_1?!`FxL*`yW}1Ihe5>jt@gcQ{L9IW40XX4Nr5nqy zKXL}P#5t+WPjSg!P#?2*3aAWj^wGqe!8|m1COv^OSgUGARXWsqk{c(;p_H-+kNaXQ z@hoSjQKTC~r4#hfYc}-Ae%678`^NOBlbrB@-Y98hlu?=Od&w?6F4>U+m=E2eh6Ok5 z+lnB24FFo`;0+Z;=Wt|mIk16iX(6r2p=O2M_<_IG(hB@^fU^^)jyQX1lv-^C_BiN31XN{N--D-q@ zG*ZvQQVQC1P2A1#z_#6jQKOmzQo@ImwNeJf8|Y6|6VY98N3<`Hqau`Fo(pMo{H&l^ z9p7U@vdNYC1Ycsg(~-(^Zh%$$h~;ux>9#IK^Eh(h=~b{4&CK+iz+2WSHd_R_CE6Z* zOEW;svf)C2d9j6lV~rPnuGiE4%X*q=iIkphSC!#fTwQQU2!ZtP;EP-+)kXQU+jER~ z@WwgKw-WF{bbPw;D2sjWn0ib9CAk#VQ0rIOdF&^6ueoVn-ur0^Dy5hz6aFBrR7Jvs z?XoOKm((>Crr;lIh&D7s&L7=Mqz=g>H;5zHEvf|X*?Nq<{FhPwIyT~&?Jf)FnrTE_ z7kMk~T{i=d{lu_$*ZX|G$wl+xHr}kXK1$iKS}|1@tw$V(YFrbEP}LcU-nbqi?#h4A z_?cTsg{^D3%xsju6QPG@QOJEltA4;T?moJ{oy(cAi2_s`ukULGCV>Fkj(8VyE4!Y@ z_m2pxb`X>g)GawWeuJHUzaUR~-&UL%{ifrH{!`n~d+w{cC@5Kl?7CsM-;o?mdG>Zw zS_KRp35*LjaLq3|&T$T4JtR|XSv=-j9hWFVKo9=5S)S?4!;B0v1f$^f^)GQwt7m8< z+4w>SaUi&FFf;g5gmg~h+ZKafOf4|ufSM-C7EYKA=s_Ssb)VyI7?vMtuj((nfTOfMO1|DqO18BFivg|MdsXnE?uyzqttYL)I zCrV2mqgCk~Gpq^0vgUmO0Ze^i&y8)GV{fgQ&60&PbKULd;cy{W&%&p>8=Z$L9)M4#79FYcg-=)RGV!0~3eFc8){Kn81z^LQud{>4?DmW- z$i*(KZf70q^J`E|hf}#Fp=HTx_o02|zYl`be~dE|{C z`AC9X!!jhS^P#Z&y&B07L*u;zA+h|Ir6cAjU`{+tMtD0tT?oyI5^s?PWRhq%7|drC zp7+*n=fbWvWFnDswya0zlPbW2OGNZ9%6QnZhsdc?CqTAq7Q=wj`oZ&+)l$3IFy)ab z3*Pw`6@#hG%wVG}G5Of{xG*y=E-FNx32QqaDdQ0mO>3d(#v&!;svvlOS8x>6eZfx( zA?iryykFG8v51R40wRjO`TLbhtls$f9?$x`_MBrQx5qK{)sg zqdt#S6|V{teMbver>>++@v6ELksqYh z^^07lYaxE5t(8#>OM@X`wkW3*&x+CfUu=%R3e}}h>c>}mn*IiTRtrSNDNU1eOybpW*fkch3 z1I%6vlP6%Z|M)Ij)L!{*M#KtC$&1{Gde)b8o%L(gJ?Bm6etNOu2q74?1^LnFSSNj^ zh64!QM2xX*$JhUIf|YG+1)+8yxbot=rMg>U%uZyHw-*RV_Z&wWr(*24k6J5Cvr{DDiv|L$}i z1H;^)CxQibK2~5qQ7)>BtMuY_jGXt2ex}W2GTFhq3sV#M!PObC@M&#~PcVJ|m$ahf zHPZ6aP5X9fGXbmM6-Eo0{Va!QQArg4Ft`7WDB(qN628r-{)yIu=fz{d8f~_0GSg%u!xVn{T({dgw ztksA#i1`I-K{vYbMc?=-X7xvGjbMx}eE-EOKj%^}Klu(6C!y4Rvmsr$pg^YfQ!7p) zpDML#lm>)nwj~B3lHOv|FK_?lWiK1q{LUlXER|!pD**lVNv(&MKDh6-myQtK9s%a9 zKz)$T^Y0zBXnwXz^{rq+%tjZB89tAv@_Cx?R}4%6f*P#&p!1+ePmIdV%`Egd%a@CQ zRPu%nnda;J`f&0d$Npe59JBoT*uD(*mD>q8*)o2m$?Ez#viOz;h_hhx(y+;q{`a|y zg^G3df`M2?zk+?#MpD!np#+flCUh#Mhyscm!_m_ew)0-JBBmRI;3waidG_D*A#DLS z>WIHyF92)8$rrh$>SFz!n3_7^Cd1jYqi%hP6xT6OB$%rgXjKl?zyYpMV%`uN7qOlI zhFtg0`56a#&pgaMLpZhG!oP0%y)`o5P1+GQ)mjVFr6c%gd&hpypp_!?8;MwJ{Ow#vbuRxBpdloY_z>R&`UGg%Kk; zXs_&&ETWE!dX|D0tv^evIs}|664)AC0ri;_PD+^Qb*lVh!DAoXtM}&f733lCkH2J_ z#kP=6IwcVX4vQ}t0ZihPma7TIR)DT@7`hTs>$W;$EW>=o65xyFBrVO1J*3u@FpMpn z6?_lj1vG|TIF*|6+NWJl;ni`3FJz`iT-|*z-c@gFA*`!7aLP&7B!Y1fQc7PWm39v= zrY#RzJ9xY4LC(mv&Gudf(}tRiOhSM)Q&^2a(mI$C^UZk7ZF{`Rx6G>oisMQBkok6B zv>^dbw8QW44Dj-Wg<9NQZbbP98B@debYntrX`vrHa(t4Z_=1WznjA3(T&71=i#NIWH$R8&y$L$*TvXIuj3zm^0Y8 z5dszCi~XaEsLIn~YYxHSO=Lc!b!Q)3XcL57Dp21A0$L25_ZZ_oo(BCHQn?|BE;R## z_P2kl*PUNL6#JSho3di_KH#ktmRo90xOv*P5Jy|L>cGSwB5Fqx`1S&(y zv>5(DbmTE1zRUaJw&>y3v5_LNpogkMCmnzZR(D+snt%9Y3M4YfUX z8qH|fU)tKv^j)T*?uh!WJ>q}ROe_@Q1bB;8F6jeN#6YMa9*-r~2=go-E3NYPD9tQw zGkI}dpMRX@GAb)qVR`0V+*t%T7)1v^%};O)i~_Jc{1&}hIL~~oQq*0lXgaqBmbiVP zb>rG0^UA{Wqs^%Ijp#F-jo{CEt-8FvzR6|B34!E381lFOi%~r2&WNiL#xl?1Lc>*4KmzMiW0b#J zpX2V)yt%Bh$3H;6Y4{yP@Bx>*#JO3EFZ<;?qLYxc;Ov2n7r!=xe|E?_xqJ~X){GM5 z7(Pp`qI-Cw4z--{zi&MkScGR9v((e6S~LpMrKFrI$|_SH|D?X8+}=|`m!nP2?c?FF z!e&#B)CQfiyd;)zZxwEH?n3!7aM(x~V{_&xahOPq@-E3~;C(d7 z*%8->f*}G@07vO}Sdw$C-L(<(F!KlcKJ>R^bk_7T<1pC%>QGOQUrUx?qzP;k->4!{vM98ffW^HLxYc8F~zbrNqi> zC}776IE2%Qo;9LvKgwMca<{>E2O16S$a4{g_Zkk%)@4?buu4i(_!PNbWBjcbT(#Whcl3pL|P!FO7=EWf&sB(cR zeodlvKz)%I(|b{R&T^$pb<|>>@GwXwOhj&6PuN*@n zK2<+mIYqJ%k<_3%nVMD|{{?4}|A~yoI20sxSCugi+D?80`P2hd1OdwskU)0XLedZZ zY;~F?A!Sdyh@p5>wBK8e-IjFx7{VsfXb(SBQ2lan!ITgH1O5rvO;A2qm*73P&Tem{ zvqULWgw?cAb~wLrfdGjVf?b14mbkP@4E4UZ8@QaSaUjrDlrdfVke8EwfRBgv{8Zf2 zgW}Ul3S^B0*}VkMMA}PG8hjaT&FXul4X;2QIY_qj8M`{gIp&%=gqF%%mG4Hsd}Y#( zrLDN-&kmaD>q6d!`!Wx%7}#Ut4EPL9)1)PL30mpkz}@6b5OXEKepwb`PRA*0t$U5d z7?DX!_OyUcr4%n-c6dit6ukecomPhA8r(>j#P#=_YKWoEp~27%J2Qj8T|HRXcv zW`zhHdn`-HW41Zwakmlmb19*O#j#(-Qv!2!uz~`fB)5YOJ)0}s*ELaY#l;NnLI@oVM*3 z=c^C3*K;G@t#APY(btNzz#Y+DQ0(9sEj=$KgdL3d@j@WI;IZBz(dP)MH2NcD^h7H# z=FO*3Hw$UNwpryk$!Ccl|c_p=dR(y=r- zH?FF7q83Zw2B&kTUsU~n%0SZ!l)vHanBAw^oTQvBDjHca%JT5uUABYFX2y9HgkuNa zM0z-7CNFdWE1nANDb^5=)u{Oc&br1)T$gu>34y$!#_nwiTSocvl6UX*to{|Pp=!?a zq46nw#K|XWl_Fm9rqn9wl1LF6y_W~WIN$K`iqa(;9^#g17?r)vgOjSSQaV%#_(a1&M2f-6Qaf`wJV*f36tgPmWFAPZ1hVS%yct9U z$FDbYf43aS+ip*!D6iF7e5i(=mKsT5 zI_?%<^U9%Wi4*!7`LXwIh3fDuDZ=o;3Qo8BohaLy%CnOhX+c%wE84XDZPvJuamR2P zX~!jj94&^(M|(wH-@}b6VvZB9B$zW!1i=ZXy)L$gvZWGV9&BXOZZkU2l3C7G6rYjp zkU^IBUFNXV(MlMwsLGX3u=o}UH_BajvZT0k_@-#QYBH(cDzZG<8%X=6wiOo?+Z;{wp_vZ&8K?MbD*x2tbCZzK?$EEpJC$ik*#Pl{5EE(jz+ zt_!`hP+xn0w^jw3erC4jQH!#H8)ytLEF`QhCs;>7TFF#@Q;@S#kYK6=TQW+P5cz2Q zc3tL>&}S<-DI7H`gyD!#Nv9f5M>QKO4}?EV4N}(5c(gEmZ4$SviiVR6{)-H(sS&mG zUZ#ev{AjOSBwy7XW(k!z~*C%prrI;*Cq< zq`5U-Mbf01#bK#3YNd?QEaIljf>QN(-O2#9c5%tYuWOTxfBorq0a)yh;EN-BU!=N? zgM_qFD~7HrLTVDS%5oR!Nn32Xk?KJ1)Z z446Wk@HXR+_l0XPo^EED*5v263bi;=%4i3rsYA)@0~IO#iMmuZq*K7tI) zyi=@rg{w#5r5&%spF)E^!PkIaLFt~4f#NC79uKQz=_ zRtA4eKtZGBm%b%4h^JXO%~mggT#$&R?KH*IthRl1%PG2M1>&WQF{dxy`SBh~jDz1V z+Cv%B1tgUP`{4xfltDt-hg@$fE7^PjyNofn3oVp^c@n}h=q(z`<8-cNB_`vSc0J@X zn2!*mbRsXwH131~9Lm7v$mqWy_nJP!+PSQ|d<=?MY!Wsp1wU$Za@Iz*{#Bx-zs?@ACdz=1+2nrNT?QObs4HyEj!xBEIPTc3Xf) zg{vWM1oYN2{~aOY+1u@cB2c&!P`sO6WV5vCoMnN1aDp#!H2AAxHe@wpCvO`sqq23_ zx5lupcUlHG@_PUD4Va|R1QeD-!A()d>;^Lw8Q-J2bCcO-q&}fc8X5Bdg`_|<3T4Z- z6^;<38LF7VL|LXc*>kA;qp_e>l>CnP_7j> z4Lg400sBU1x9B-MI-eQ0T1#m`tbGTpD6$-{eNGb9IQi&7!pY!1TvkRjksuo1)lS@Y zjcskI;H=5nQ>89um6^YZb`mJPXiH*-;AL1=VbD=kE(WzreeIe&zG>9dM)oiy^Jc8P zuI@$mR5+(zPJrD$F^jC0PN8N9HFWQ&OjQksOjJ?tG?|IG==?{?N~1rUWEGiaw51!NP%P9RtC_bMU)R zsg}c?(l7QS`lc<#PIoEOw(9a(5}!E9E3vnj9on#$SI+Z5%o%Ew!Ui)=@|lpm8>uEF z@jvCzBRUd&2!RL;KXq^?4Z{tPI=f9=z1px^HpSccl4ShYpwL?PiPpFlyn6YV+Iy+4 z$@DBLeg}Tud#8(`MV*A5)AqF}s`t#zaC}zXAc-%JTz*+rC71ZdchtqfOWs4%kT}Sl zjnZBU7H#{*2Cx6_8dVldI9xPVmiYsC;O z1!Y|Z`$|uBz<_aL$!^QU@P}hm!?HO*RO%Zll*1cos-o*Whs16{GR5J<3R%dU3&qrR zQqVbT7|5vE(JjP_DtQ`t@`?-9Cx?+~<_r6Fm&o{QgUcUS-hhm5ikG4;ufk7{bi2?1v7u;!#vV6YRWn5g0c0lgxwII4DmV z%CqRWD!_sgPq!O%GD}YfABM!$qg+2w&3s5RL!Qv*W%l8KqXdE|4q#IW<#OiPnMmGB zS4wa?E4*RaFYZnjhl>f)@PF`}Q&O>!u-!Ig_-*Ia~tn3?(%TR1mg(f4PX?%4bv zO*PkV&b68K5OvTA-rw8Hn}0g*bpG4D_Wr^C!2!(w?m=(=2h@Iu#>nY~&%b8d#MgY2 z*xq3cA)O+E*CYGJ&_v zV`BQ#;HIgQS!+rG>Hx6CaoN@GTjOrm=(fAMfq{~|8~gr~TvR-CpnA zK5oD3wpbgkFI{t{x${#pA=f`!ntt1K>`Cnw&+mzAz_>IJ0}X#YtOu^?&*3Mwb$8Bs z$KSiy_u$t|v$YAHVVh>x0-ww@k;k;huIBk}p!lcSelQ$2ayDp=l^@a0=E2r6G@)`^NZ17*z~{n71mL}|J%J@SK|M@z5VW%|8FAI zMpMncMRO9MF>!%M!EjiXX-{NE{a>}(Ik`vvRP$Nxsdk5vfgOv?vB9&vWgomL2`mFy zgxn$mtN@BYMxuL&*eLJ-bd7WVdtfK%SKxxKjREzLcBh$^c4J{Q#V$Uq)k3~w;5%%A zNa8jlw!@eZ$6X4#R;&FEd=j}ZLz;(?=^@HP4fORZYF_b|&2xBz{{Fj(Mg+kd*G4nq zVx--Wz-NsVrQagookR5q{fH>5L@*?N;HhB6c_!GWtlu1C&sXMrqFhj3|CEt~{9*%3 zC-&H!%rs~1eL=zc@3woL^!kT4-M#Jl-$eTQwe?f&h&XfCoJ@W6M&F4S{#$fn>&@Em z^7yyLsj0)305?tyzzuV3V)qc8U7j|&Am9DeqWJywYXgONgz5~hnt)9Mn=Waij+&?e z*=R0vj5OOoZxWw(&>Q?0y!otI0ru#JCd0xe=HJmb zThlfU(Gf%4GtH^Zu&)`KuhG2?m#SfH%B>s+mPJ3(Hvav0N|sHn1p&izG@S!7ZQTlt z2u}2o1A^>8&alNcR)~>_rZ;V|EtaY{`w$gH2)0zs+lV~IJ27>|ipJ+aVKm+rT~JUo zRT;jkF&a1Xbg3bB?*KDs!El)QST(1*b%?$(aIBH&EBj58z=3eGCl8(3^Tu+1;^#1M<#(ar&zbX#s< z3wFtul}Gg3xGvxFt_{;;y!Sn#t4q|GXvAX^s%?6Zq~ia8#(-C@ODtT8POwP-2O9vH z|F?H{xBPz->5=$<;!B2&yEmHN)B=A>T=PFndDgsr$GA|;;5mj~0fw&6;uGjDvFvBY zf!)C3ib5F8UtAJ6tQ!qfr<5MpL8wWj?*!k`be#mY@3nk#i*5J`b3 zliy+8mnilP*)T_d5NIy~5mH+IoSLCDpoHa#7;w+QIvwo5foaA=sK>{XIUjz1?ua2$ zwklnuNpnl1P^#Qa`|`<-&!GeaU}W?}>=Vm-CwS3dmRiw0i9!#h16PH&t(|mn; zn!v=WaB&rE3@1}GEwLh*J~GwHh3%Br?c#>6ws7*+fJ2NN>|d|~&9s3##faTNt1UR?yhfUt zRJBW@K-9_%5OW5+;xKh;LP4?DP`5)o6GmrF4?2`td~K3Cm=F*zVFE9SW$N<`y6|#N zlp)<7&7CAhl8)@v^sgo~xpq_m7XSRIOe11XykhJ!yo(hx|C~u+=JY^p%>hB@ZRjbuN1< zxd>Gvs88o)vUt|-h!xE68Pg}Lr$0nx$SHMqMoV34{uBl>q5#>kssKsCw(x^}iYN_= z5!lafQ5ua_Tz<*X$xe698cY>RF2geOVVQT>#-4ZSk{g_!5NcWV3-%ACRye%7Q>ow}fb!%(%ROnJk?rW@cn(UMOGK*2!$9 z*@n!yWSXxMU**wZvL3gCdf&pnF658cGOCDKi1}MmVv|cPEw|Cdp6Oh)v$*7>pxaK8 zf&x+R^x~K6)4}J#X|d20_rM~PQ)=>?5tp*CKU`d$^+!tr|3KWC=1b6}4OO~R!2J8( zIkB$@fgy+tq{5_G7P-H4%{$Y=6Fl&A&C?d)e1K*M#i-j=BqA{70GEX7eQlfanGw0?AJFDnk^>Ww}0@t$QR*BV< zdBuS#lm==kcuG9p%`^vN9naM*hM>G-(|sVekb^FIXkwdgZxuGSX{<|0c<5x58)QXBnEm^S_OxCwTr>!v3Qg!#_8+ad;Vrf(ipc^hdq^XDw+S2ycWpGyA{|0^#KZ z`>C9?HDVY_D_I*dD^q8a)nbkE1De*7CWz=O^qLzqzNXv4ndwnv^N`LCV$cos{_=ns z>ONrP%{=NQ$1ErvI-{irojRYvzIlvY4Aa%p*siZZk=JJb|EEQ-u3!l$ zLCYFMZ3*-Sl1%?i``^r3s-a`o_k^j+nk=9&{#!?;|DDcmdrSW}ksg-*huDt{?|s*lcWC|js%bNKB0fqkm2h#a(x4YNvZR!6e(sxAv z*EtZ7*g%B=03MYEY%&DE0!~_?#y>NhOX~c;1Cm{7%BBB2v@4Bc{=o4+yX}MBJz4*M z(AmcS+(>$I^#2t)jxdjfB&LyhqxHTZPC!(u0tWEHbUC!3PG%0Vp$&&fNc)jLekew# z3{kT}_S(Md3w**AqqC|{xT2%d=|t2uPdM#Iv%CrScV$;scYs%RH(`>RI3J4oy_9pj zveb&+@e!;g-Q(kODi3aTR-ZV;B9r;hp;qcgP!lvCwu!P|xw>qg7rH9r&bn%?!M;OTU0qXxUI3Hb~od56O zXmovgG8_%gQ~8o^&VaGDKSuS#|Guj$@R>Rx=ehExt6A)Eq#B>d-{>1M@R$XwhG7_! zT;JhTg^PXKAIYCwMO9X-dtveK*qeRvY=0VkyuR#@K9)x^y5pw)JxkPbat1G#m?1`y zPfC)MMCL4A$!AUMsI%!U2%n+o&ggV_eKfclU4J+^&Fc_zI1>^|i`CLnHJjH@{};8Z zJp?n=|2p`+vf6L)Tv>U3;E$X}0UBN8V$hQ6mhq%~o!1{PhNEFcHN$#)yGo(rrTjo( zDTP>h{TDf%=I|Hca++W;RCYHs*C@wit_GhkejQw2oL>(=ei|KL{40l%D(QlY@5n8_ zu!qyYH^{x6Xa@67En58flGuV44+r$$(Wk4E(eKws7w4nFZ+U*YtPzT(R2Wwy>LKjJ zTvPX=Bcf6ZaBw;}8;q`gUqHy~EdhC%)@}MctFWh^h650Z`p1K-Yv}XQ=;A7;x2$p{ zyz~CqV0hU-Qqs>4E}6-ZB@h~$*fNCnS^14S^@f}1c$KcaHjgep!9w}JPlI6zkMJ}j zJm%{GIExcp;lBcUi&H7yLhC#|IXhXa##3`DuF^sD3SKl>(P$LyNk%5dU^wcJPL3$oh3>-;oKuQ_0-X2i zbH79YjtUxEep#d?G^RQn*mtH&Y^uWlthruR3$QRGLpU^-7suC>TRkkJN@UFq2qVN& z=~MTg|I{{WTa$v3=@+k-4 z8eyMuAU;ySugxJ(#eu@|;8ue^m4yt;gIEOul@1<;=*_0CA2`n$f0A9O4tr8itHGTV z$OlQgtB$FJFDy5;5@=CF$B>#lvTAmxbDX*~{NVA8VJk2r4vW3rYHSYiB!o^1cq?QHEoH9^I&CGuQV%VJo0#YuS@;v7$oFn3{G&-VqwCJoZ|B zh?GnJL)VXn7|MsE|GT>x|KD!Av!(wVNl(uHGyHa>IogeBf#eMZ3Vm{KPxvT^=(Cf3fs_|iE_x=mH$r8a){t_itjM}pk+GX{X- zgSebF;fLLvQiRn3VVl4KSd+v)FcCibP4+ZR0NmMWrm`naM>9pz8AbmYD=b@8B6IRI zc<@Ej{pcu|TAvNZW9Bk}&Vi-Xa`tcwtCF^GiQ0DCQB@IwU*S6w--oM=y1~IRdJ9;? zk({~10gJUvz!{FvA>S9KHSy+WMXXL9%P%RY@#Kj6BN*$74l;G^=fF0kE4pNR5|IZ6 z>92tJ@y%b{hces)5+}6!q~mjRHRz89bc{Y-9@AfcMlH!Y7)I}<5sts5To6Gr@kD?> zAcn+M90o_DFcgB>4xqy#d{7h+-OPMBq`OEVH7yBr(ehEWfSzRYy=!XgnnN52^CKE2 zY-t-?ub#D1uKZ_n``HHHo2}&oRJi}|?8^TCz0NlN<3`d`mH(3VGa36Mb>#A-+$OM> zdM(Qyqrxzp^WbXK3MD16<#xf#ielkD-JyErXSr2}*#agQ`P+|Er?m|QmqK47w}|A; z6%Ey`HI7Ssq7&;7jgBtAH!uFxQ!f2?Jg2Ha@P+>WyK?-OcK4vOrT?2q&xrm5MhctB z5)9xWgUCz!7HHRcs^wKS@0;DND`UyL=Az+iIeyA(x_J@KLoADlz1N8V<~05BI`D9+ zByD3v`j_Ux%4lRSlcFz|3h93Zf#3_}|J{x(|L=FV^nWAih135EW5&D$HW0^?St%C0 za>U9+rilZ{Q0|ZuLT2R++)EB+xrqK(bq7=d{qOE|I`aJ=yWRaQ{oh3TUg>{iQo@hu zBD<2I5KJFI{qsbKxN4s0&}Kt!L>i^=W=kW!(DD_c&M>A6v*r`Xf$yjiA4gYTdi1qR zh~KQ0xgRrSaMy@$7ZlIoMStSaaS0uKY=~!WLMI-mhvU8G8vVG!_HKQ{mdL-=mSBYChnL*8|X$N1z z8b(vo6KIPx&trEB(%M+`5Trrffd>eW`i|3gXT(LW2A^qsB+W*{0fUvSk=53>seP^& zIF5y>V})jk?VGA;{GDb`;xn&T=mT+YOao~Km6KS5ST83OOfyor%}kig*so!xeK|z? zz20sQUX8_7r5mg=?~+wMy)T*H%PE)tS9l3z(f)6Lw=47iy{-OlGwG@F|Hq8~zd_w0 z?@U7+Xgt=9lusZ`HS?NNSWPHzLwt+sTtb*>jwdoELN&8s&Ek^8_(c?(S`J7pMXP3y zfn$i$C7LCSHB_xgSL#TW8ZaERmPcer3+aDFmp~TM|4jVnPJ6rm+f3Th|CQ-~g}OtD z4Lsg$l+Q3)^?Eu;6$5@)ZDUw;m5VB?=MK5_KMa^w!4{zS{70t$^al7X{oh1-a`b=E zO^{WPT5e_hlIUuFP*%Re7byNhtE$l6o?U{@TEZ=?_V#wUX}acuq#>^nab3fM0lk|Aj1I(H*=mjUc|TB-4M# zC9t}tIPeECM6Wl~UwNh8g{}@9&e2>b`eq1O43h?zut)OyRt3wm*zo^6WK0{$=_VkB-}lpNWs;PC=Q&jgA_EPi<1plBxpsiFcO^&}A1wwPGMW1rdoR1jg9AV6iNGpXN=qZf_qlN(%6Bmf3wo0wxVZ)etI;sSaDxZw;~S&)`5@ zMV{H_lM7UmL;nra(+T{TSK$X%82{-Y6aTNX_5a#T+A#gkr|=oYl)@1_eV216jETqN z5M>wm1XShewFE&g%P`U_?)&Ei%8*jry-Mv|C89_D!F;OTh8|pRh3nSa$Y<+q=x6n( zGRogptCdQn=>M83phEkf?ENpjt^Q{->E+S?=d4; zrs;NdW57<@IdFkY-(Eg-Ado^RDnklYLd8+^UIG-;7|NmN^laL`%-g89& zVOg8|36*UI`#Cb?GsT>v^Onb5ybo0LXdL$*Acmc0c*5`{4yhHMi;mT(3cRfQE(?8} z(Wx?IzTCj2`eoB`KWJFU(r#dpJ;I8W#&)%w8bpi--X)R9|k$(faRl$q7B+4-Npx*-4 z$FAj4g7eHA6tDUk(K+Bw9Rn;V^ybCR#`pFhL)j-PQf z3S}!#;yD!Yu6RFpK1JTP6372G?CW3pr<(sKH=3*I5(I#`{QqX&{?mEU*?i*vALH}H z|L5?YfPF0iK>9qS1Rzs9i2wx=U|~*Q-Ru*q|HSG)vHHIUR$pH9WApmCX`h(=hh+At zWWy7;|4^SQ{vQxV1ju43X<+B(f7l@VZ>O`py|cN!L-8M*PxZeaKljm+R+Ck_F`W_5~Smc1WsftEMS-$}#OveD%`#YKv8V3sik3&noE(N?6e5 zY#y}fa8D1-gnlUu+&$A9=ez`-n5CzW{#5XP!0_W+T}}b8dHP>W_K>UpwY&S`iT`_y z&vNrWBZn7f8o^46uXqey2Vp<+%BgqlFyVakD8p)y)Bk=&QJg1!HYiCXWqO%Lx}#78 zLZ{GkMq@J-(M$jmdna!X~aA!W&2iLY}@=@V7YVutlp#i_aO4q)Qpt>wv08NHG;Er zotbv-`8h|!C&)A7zlsNhtoNQiM#Ky(En;dv3v~-&k+go+4_M@j0IIW5Sakl{RtWQ8 zA4yc`tzc}a*IaL|uG(EFOB-c(qg!=;;YFS+qmRLNxmH(x_am%i&-v2x1Zn2Kws4Yz zo^ylJ^eBK7zJ&oM!z-lP))21tx>~qQVWo!9@oc*_6&IG-;j{{v|| zjNT_7-YKdifJ-4DRr-y`D&!6;xu5+1<%{#BDSDnWOZfcH4L4EGb4=8Od8xx}N=?Eb zrACss2R}bQpQM4)(@IL+T7YIhi5$!R%)$RlsQ^D0|L<<*`TwoXQ~c+ne4gc++QDoWO}K;N}j~A~dBLZ1e*y_aO4aVbL^+<||Q3nhoNY$0rBw z7bnMu=8I%9+E3rZ()bYc0aKfM&zchtxxN$VrO1j`qjn{bU#?UgE>gnCQqK zd1ps7mOUfQwm-tyv~)5aV^t+scJza;aamXze@Cg2l&15U_kEmPg+0&j=|oGkODdJw zmR2oq7y|q#k2}ikv*+#Z>}>78SN)VZj7OX@3H;u>Q8dMq{vIwvDo@Du{stJ33i=Nx zkS#~~_lNoPzq7lOr~g~KPx)UT<+F7A&urhX`rcg(i3Q)T`Yu{^JgRuo$MmOCk`>JB zimha zf0WNt{NKIf|DGu8yqp|MiR~N3qk%s+uL+@XrX84uA$CNwfI+Dz<)Bzv}9(+I!B=@ z&hKUuKjNfwxk7Dj5jH@Hsqq50MtghQj-POQ!#v37z5n4=Z;B0X(I1s3dk$tN_`AZ z1N;Ko^WH^8xkyt!ky6^bNcZx1Uah^mPer^3h*~aJCwh7+S*G=>@e?^KE@R;GOU-j| z_uc7T_ga-Vc?Q2$&Y;a^(#pBAmrj3|GvjXx8!w^;Y^cyfRi}PG9EI7`IkA#n5O4}w>i4QzW&X95 zkE%&RTGlL?=mhwvY8L?>Y^>Y30{}q*F3`zE)$*F_SK(+q9W>oZ7?4)QydU=8zdpbC@#WbCuHfzdo1>+#L9tJSMF)b=IdxuCu@ugwZ@Bi4YG$7)DK!&eP7px?tNMgXtVde0_Xy^!DuN;$;8)Rrxmg z*4HB*c)hsk8IzZ7xAYVW&mY*TBHNa8oRpTxa376s!XzG{hVFx(qOniD zgO++BRu8gyhn2NJoXIiz6%rp#Q&dCElIpmJec=V6q5#|#!GwX|gRQ3NNfKX~s6wZw z+h%V8yp|gkGydl93UABoUrJVkPOX^25y!l1ui>AHKucxBH7X8IOYk*HXoD zJo63)LHDD`E&t|C05$n|%(hh~g>%j($;jKt^*tX1UhpZ*04`xINzg~dTPl9mek7yr z<$8JE27t1fsqkY5vk4?goD_c9q(lORPQfRmo>U(tC3`<>(RhvJ;WarkS)A9(qO_HM z496|lY1p4O|GWq`?)zahNrLl15~PDT>Md}m`7Ze(QHv7#(P0qz(-~U9+^8kJ@&k|O zDH`*@SFUH|Pde$Mvaim@^Ih^oX5lc1C)wf)bUPGr$$|(b3U7ir_{C|m2ztql36Ocf zkeJ`}ETAp0u6Ek<1?MZUH2A5?Y(MAts?kSHROznvZkRGR#)BZryS;aJWlMVQ?x4$f z?YRTI?_+m|yZ>8v$E*F+qp%-zr`;&XQyqyb)LB}3agdIlV}MULfGNGR;~&nCPTzQa z5G%bOwWTjN3ch5JYbnD@;9a9xMot`;lCDutAX2zk81cvB*RR_iWpT+3)b%H*k`L1q z_RewbG#ZHXUOJd$m?I~}3mABQ>h*#oxJFYj%FkYyr9srs4M^)oqZ$mb^0#<+6$Z*Q zl&-d25J`fwEFR}yZ5c|kDQSsB?GRU>ttCyKdHbBQ#rM)E2*%zZz>GPuca5ixr#QyL zgLR^z%kxWz=ni}ezQR04@z}oxv0%+hW4OG(!trHzfKfy?Avpb^-^ zyB&m404Mo8HHNv-b=ekq)n&FnI>j^m*}$jwFaP3w#Kp7}Kz+3`4tsH*IjYr?Gb%D1 zC5Fm4&CW8vi0t$a^=`8UiP1AW07)rU_oxs=%FIsOWtK29$GlW!{Zb@D+iFwX;kOE>}{pYRCeEpA&ttbEg$N79w{+}hDo~4feCvopi$$BlYZrnep ztEqg(266ncx#!WaPCA0ckiMud^L_|cEOy=#EVmK-Jc_fyy&Mf3gZ)fXtucnpHeJrW z@b=t$ZKpTglH({3VPA$C{H5cx=<-c1Pgq~;n^xEQ;}`3Yg6<&pnxtt%P8hQVh?*@N z^<(%S@42m$dhUV9GoCnBr2X^rqcgCEVy+`>zSS_Q?C$YkoCqdM#k(zEZs$ z99LgBH8XX!=o z>hF5;9;-NQZGAs%G;%+ydnh+(lykOr+Y;ZKQoh#dvj9`;IIqoGMn&$l@}`#4@vm;+ z5B&+kKMD*A^Slk7k_If}ljr{?;c|0-;b$KI2kc%h|0n!+`-%U1jL(FK;$ldwK>_~@~qyvolW12hR|g#J8O)-0G+kks)>t%O;#JI+c>Rp>b{O;%}# zyJW~(QYN6g07`kFNm)K7gab-!ODb`Y&oC+WYA)HXR`$^XTin5M^m8`8P^K%G_>r<( z!AuHgoh*{s3fj-eW>o}}w}qTirJ1N^b#RWa5Zq>Z<|5i^CPbTrGx|oc-}}yw5U!GZ z7du?&iCz0LK6(D{0;m_p2)48Fa+tqA%;En!osG?%ot*x6cWe78|LdcCmdXF&NSL1~ z@O-UALf&fX{dM9;*r|tPh_G4uhsds_5yRc@ZHgP-i5}@k&XPn z9q6;J6`7P9W+m}T>1qW|xD_$(mDekrdevs^v*v#b+X@@O0CcqEH~+QiH7}aAcFDUr z`ZUJnQ)w2QBJP`YSFYFv#)YAx{_6Izx)0Y(vECNPa#A8xFXq7kVa!^r$WetA+knEO z=0Y>gbQQn=%~s)MqMkSKZ;<<<%!nRuut!9Yq87Mpn;OK*?^ox3DiU}ud|T!H zmvwim^+w>ulwL>iHfCK1)-#2}i-K!Ei|_sv_FclDz(M1(@wTnCC-$xCX)+lj z_WN$qyAA;TQb|T(eW{MX%4mIawbk)%$+LBY2TgK-o?{r`zfvU>2xRJ1XZyV#I>&za$ z#h4s+SlrOMK@=QIW2bxh6LaTQBi*%QPG;?eH{MD*x$;)%UqkeMp1YfkRc{miga2AU zQl+$YaBnw$64FARqn7-+O`hR8ha3V${>Vmf1tFFSf~Fy0kFY;&XfzVV*I~Ev&e$5K zvS==deYC0AB9mn zrke#0RuM|8kK7?zv5!-frnBAcLM<8x^XRtyDE8;JcJuRAx3n%M7o~;$wyKl!+KsCY z!S&e5U*lvfS2Og-EVrc0a)cP$g7Gz|UcQ0<8%OaJeeOJ^C!cd1!@=%^+l7w z(e@~K1pn!yYC6m?4;+9)OlX{A?$DpIctuo|l-VmPmd2N2)Esnk{`zdS z5)13BUJiE6RX;~0vdUa|^>gHH6_ZI~$`Jm^iLOxAPyWqv4AW(|-3X3F-6iyRc3L(Q z`cW1`@geUWW>$ws%_FvuppSB?4`~)vq{|KNXI}$+SoCvKZ>yLT#5mTLjc>52H5%V< zaVV1;V&;IwSQU8}Z{WVUr}c&9guA`DG2c0%-07~4%iYV$IUXxThLduwC0Q@56XRZc zGY`MUDreos#`gAxdm6JS4kkJy=2~ML4$j4_#L!2=`gEwE!9&iW!l1waW7Yyc4FS>Nr1)M^?TeaG?J!1_Y~P^aC4}!4Iwn=& zCC=Ao(>LKIiZrg$uS4DBFV5L^$10ZzZ-1R|fIM;xF>KxNy$!mNx1J5h>u`>Ve;sfW z{QBRV0e|*dBd__@-zC%AuTAgI=oE~kzI7DBQh$+Oe$j3I6a?jjX(WjTGbz4r6emEU;XrpX;pvx^V9veXUFGNbJ#!s;z7Wv_8NmDq*T3YBxu#S_TKha4V#xHx_H z?)>8X-H%6aD{^<0kpPtC;QvnJI6Ehm_}pn;AD^AW6bMR3XJ_T}G=JXP`?F4$H~$=O z2O+YF<}?-k70nCA7rW|t9ShVb9I+*~%#idstx@j0i%MZw(HR5s0%ia5heq9VCuAi@ zD&B@OpKh6l#zn}FQu^66=#Hu8Rz1TnRcQqL%)k3FVedMpWY3m6q{1=fj_f{C#G+z^ zy|scUk=vX@_U|hp*b~o{67Yi=UeFEI$sJvB1(G*JhrY?m%{+L$>+W0&bL4I`PVG1x zNq6-*nREN>s~Gh1yDx87xS9oc?a7!mrlxGcx$;^>UG|6`8e$DXGoBD=)SRORHAH;r zd9U^xLvnOOJtDHo)Je7Fa=gMVL&qrm7?6tKInp{HyQAKkH;8XB_GnG;pX$rQ0xItX zX_&a$+BwPq71h6(MqmNtv;dx8wL`hw(==)MXQuI73@ff`TVjEtwP%^?h?n~k;5|NW;V z%z}5Lu1k<~mU4R%mFXlWRPz+`NK+dAtwhmLM1f8p{x4NFu>0EIS4s1Wj8mF?qcj!$ z{kfrPz;pSc5`duwO98#YNDl>j&f$C>;B%I+DD=6V?g4%a4KxS-=1U5sPmHa4BKwSNm+)sMhi5sw(qIO@9AsReERY8>cqISJ@bCIH)sy zSG2>nvDzWk{-?m_Lt(nnxCVXX|9?N(*u`=?H4$)nU|WnZkE-T zTf8%EWv#fjf;IMDcQj*^yWLW8z@^<&ap$UkxhLXy1o&8Bt|g)tRdVbBNV`+d z><;)u_qL%#e`$+^b5KUfK=XkBt;}Wk!3;M0#>?(|7B(>Bmfmhb)l!4P&${KA&%NsY zN8g#&9pO6-27R;M>=f4lIrEFbEw z@6s75&UMdtoHH)60IAEkwK;>`{edq3=E{d&`rTQ+UR<2lOQkyRjB8U( z=3SX;$178RsSGA_uE^~?`)aDLMUP=$$+mMP`RkZ<6?(YYb$sVv0eiyXE3q_GmC6NM ziDe{EH)~?KmPWK%2V`m4*F9{|<2eQxn%<3*al0E2#je!qVh+4?GAvECBgPv%*mU4; z?(9Oth0QnC;`7g7wxXlD-(7Vb)`;zyENLA*hc)P8T<&53qhIY@$T5Pv4LozS9A$@F zNY1$+f?eWGm5zD;yDA;_L2gThH7#~yDvqee&6RZFr50{)5xiS9*!&U`wp}Y@VZP)= zFDX_)L3`@{>(_UMZB-l_qoNSAs9=l|*fzdhvkTvs!uMjG?}hB^PH``WdEP8bW1{Cx z^u?0`*~eW7fpo1+2Ifq8?}u{Z)@8cWQ<+B)>I_i>72WIkES*Z!nsbTtqSm}$Hsz=S z<^|+1Ngh&59#aW5s>QOIs^0>`U07Lo0TwM<=osn))`KnOzEJo) zr*2n37+>KRO07Qw4&8<}41RTk05KO3+yTm9A>YCdZh=W;+it5Wz=ZZzeEV!DA|Qee zc-`8g(zTY9#K@~FhmJG5m3a`Te-)6#BwS2MSDu@_l#Ov4)yC~*-RqXBo;q{L?X3JyxinX$sbXj5*RnuWVTF~Pox_UBFW8aGQf;XnyD2z~Gq3!k zkV|6LShKQoCdyC8HsZZ6tZdL_-4uxD*+K+`8ZLfIh30p?ql$s4B)EL+_aJER@$PAbYn-gsx-jZ;hkGmZtABknhq%uz76)G5 zWfsT25;$S)wKRqmUOIrmvhFr$7Pm{ytLaa8~j0^XgK2RfORfb^{IceWj$+O z?Yu$makr&IFYR(mM}Nr2I*LaF-?`bhaTe@(KLuXbk0Q)|`kdN4=ZvS`DBvUcdo_TWx@vIl?`lsW|S^K&d$N{jtPJ+&dFx zzm$br04I#o@d8&SCWc(&+6?imVd~#j#b|fGqly8Sg}-eR-y+!BvK}q|sLDItSvxRm zxVyivic#h>{``Id5Ua3+eXyPTPr5 zx+J@@@zv3(U~~}?nB5zI@Wo8sv@)1d_nf12))Saa=lHR5&=})vWnXQw)w$Oe2v)n_ zF14L|-bRZJ>uj~8_h;BFmb#m_Pp3_tExH|-wmU>q2WQ6s()-sqUK;j-uAkK0wU2!l z+Iy~L-4n=nuYC?IbHR>*F$;!({pU$tI4d_@Oya6+Uz^U(8L2*=tse01XtsLH`%_i- zmdadYZQt>ESGTy=_}qTxL`vN#7roLMBj4|87j_N5!xb;+4ZifNp5gaAdx7&@o)_%x zIf!bh_g3!2t%pU8`_qP0G6s05I`Q~O^Ty+}1 z3bqedH7AWJ3eMQsaO_uk8E-h0EYz!Bb^}Xgl!*tjmP6%t^0b2K(?WWhfXu>y> z@t8QbzfR&zj-Mu>5oA8=*Gj^&@PX>{!gTVSn?J2_kX+t+{&AMJ%N^>hmhMqvwHH%l zi%#YHBp%WO)Aa>TgTCNN)32mH7lM!V8+4p?nuU|~&bkAj%S5LKfgfc9kJ1H^nwV